Page MenuHomeFreeBSD
Differential D27513

fd: Plug a race between fd table free and several loops
ClosedPublic
Actions

Authored by markj on Dec 8 2020, 4:39 PM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 19 2024, 6:39 PM
Unknown Object (File)
Dec 20 2023, 7:51 AM
Unknown Object (File)
Aug 27 2023, 2:27 AM
Unknown Object (File)
Jul 8 2023, 1:03 AM
Unknown Object (File)
Jul 8 2023, 1:03 AM
Unknown Object (File)
Jul 8 2023, 1:01 AM
Unknown Object (File)
Jul 8 2023, 1:01 AM
Unknown Object (File)
Jul 8 2023, 1:01 AM
View All 19 Files
Subscribers
imp

Details

Reviewers
mjg
kib
cem
Commits
rS368486: Plug a race between fd table teardown and several loops
Summary

To export info from an fd table we have several loops which do this:

FILDESC_SLOCK(fdp);
for (i = 0; fdp->fd_refcount > 0 && i < fdp->fd_lastfile; i++) {
	<export info for fd i>;
}
FILDESC_SUNLOCK(fdp);

Before r367777, fdescfree() acquired the fdtable exclusive lock between
decrementing fdp->fd_refcount and freeing table entries. This
serialized with the loop above, so the file at descriptor i would remain
valid until the lock is dropped. Now there is no serialization, so the
loops may access freed entries.

Restore the previous synchronization to fix the bug. This could be
micro-optimized to reduce the number of atomic operations but for now I
would just like to fix the bug.

Reported by: pho

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Dec 8 2020, 4:39 PM
Herald added a subscriber: imp. · View Herald TranscriptDec 8 2020, 4:39 PM
markj requested review of this revision.Dec 8 2020, 4:39 PM
Harbormaster completed remote builds in B35257: Diff 80444.Dec 8 2020, 4:39 PM
markj edited the summary of this revision. (Show Details)Dec 8 2020, 4:40 PM
markj added reviewers: mjg, kib, cem.
mjg added a comment.EditedDec 8 2020, 4:46 PM

I hacked up a short patch, but I'm not fond of it. I think this will be fine for now if you add an asssertion that fd_refcnt == 0

markj updated this revision to Diff 80445.Dec 8 2020, 4:55 PM

Add an assertion.

Harbormaster completed remote builds in B35258: Diff 80445.Dec 8 2020, 4:55 PM
mjg accepted this revision.Dec 8 2020, 4:56 PM
This revision is now accepted and ready to land.Dec 8 2020, 4:56 PM
kib accepted this revision.Dec 8 2020, 5:04 PM
markj added inline comments.Dec 8 2020, 6:40 PM
sys/kern/kern_descrip.c
2467 ↗(On Diff #80445)

Actually this assertion isn't true for calls coming from fdescfree_remapped(). I think that code path can only be triggered by cloudabi.

markj updated this revision to Diff 80453.Dec 8 2020, 6:41 PM
  • Typos.
  • Decrement fd_refcnt in fdescfree_remapped() if INVARIANTS is configured.
This revision now requires review to proceed.Dec 8 2020, 6:41 PM
Harbormaster completed remote builds in B35262: Diff 80453.Dec 8 2020, 6:41 PM
mjg accepted this revision.Dec 8 2020, 7:09 PM
This revision is now accepted and ready to land.Dec 8 2020, 7:09 PM
cem added a comment.Dec 9 2020, 2:32 AM

I'm not sure I understand the solution, but totally believe there's a bug in this area.

sys/kern/kern_descrip.c
2467 ↗(On Diff #80445)

Yeah, the _remapped paths are cloudabi only and should be removed with cloudabi.

Closed by commit rS368486: Plug a race between fd table teardown and several loops (authored by markj). · Explain WhyDec 9 2020, 2:05 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rS368486: Plug a race between fd table teardown and several loops.

Revision Contents
Changeset List

PathSize
head/
sys/
kern/
12 lines

Diff 80476

View Options

head/sys/kern/kern_descrip.c

Loading...