diff options
| author | Kyle Evans <kevans@FreeBSD.org> | 2020-11-23 00:33:06 +0000 |
|---|---|---|
| committer | Kyle Evans <kevans@FreeBSD.org> | 2021-01-24 03:17:57 +0000 |
| commit | fd478d518f49084e5bc4ff3ee0ae020c8db42b9e (patch) | |
| tree | 970030716c1105b629b5b84fbaad51d7d6747572 | |
| parent | d9cc55ea82faf6b7660d9a715b936657c6e6a8af (diff) | |
| download | src-fd478d518f49084e5bc4ff3ee0ae020c8db42b9e.tar.gz src-fd478d518f49084e5bc4ff3ee0ae020c8db42b9e.zip | |
kern: dup: do not assume oldfde is valid
oldfde may be invalidated if the table has grown due to the operation that
we're performing, either via fdalloc() or a direct fdgrowtable_exp().
This was technically OK before rS367927 because the old table remained valid
until the filedesc became unused, but now it may be freed immediately if
it's an unshared table in a single-threaded process, so it is no longer a
good assumption to make.
This fixes dup/dup2 invocations that grow the file table; in the initial
report, it manifested as a kernel panic in devel/gmake's configure script.
(cherry picked from commit f96078b8fe55c944f32c3c82ebb9c360bc155823)
| -rw-r--r-- | sys/kern/kern_descrip.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c index 1727532a8c95..bfa67c64f265 100644 --- a/sys/kern/kern_descrip.c +++ b/sys/kern/kern_descrip.c @@ -821,7 +821,7 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new) struct filedesc *fdp; struct filedescent *oldfde, *newfde; struct proc *p; - struct file *delfp; + struct file *delfp, *oldfp; u_long *oioctls, *nioctls; int error, maxfd; @@ -860,7 +860,8 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new) } oldfde = &fdp->fd_ofiles[old]; - if (!fhold(oldfde->fde_file)) + oldfp = oldfde->fde_file; + if (!fhold(oldfp)) goto unlock; /* @@ -872,14 +873,14 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new) case FDDUP_NORMAL: case FDDUP_FCNTL: if ((error = fdalloc(td, new, &new)) != 0) { - fdrop(oldfde->fde_file, td); + fdrop(oldfp, td); goto unlock; } break; case FDDUP_MUSTREPLACE: /* Target file descriptor must exist. */ if (fget_locked(fdp, new) == NULL) { - fdrop(oldfde->fde_file, td); + fdrop(oldfp, td); goto unlock; } break; @@ -900,7 +901,7 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new) PROC_UNLOCK(p); if (error != 0) { error = EMFILE; - fdrop(oldfde->fde_file, td); + fdrop(oldfp, td); goto unlock; } } @@ -916,6 +917,12 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new) KASSERT(old != new, ("new fd is same as old")); + /* Refetch oldfde because the table may have grown and old one freed. */ + oldfde = &fdp->fd_ofiles[old]; + KASSERT(oldfp == oldfde->fde_file, + ("fdt_ofiles shift from growth observed at fd %d", + old)); + newfde = &fdp->fd_ofiles[new]; delfp = newfde->fde_file; |