The branch stable/12 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=fd478d518f49084e5bc4ff3ee0ae020c8db42b9e
commit fd478d518f49084e5bc4ff3ee0ae020c8db42b9e Author: Kyle Evans <[email protected]> AuthorDate: 2020-11-23 00:33:06 +0000 Commit: Kyle Evans <[email protected]> CommitDate: 2021-01-24 03:17:57 +0000 kern: dup: do not assume oldfde is valid oldfde may be invalidated if the table has grown due to the operation that we're performing, either via fdalloc() or a direct fdgrowtable_exp(). This was technically OK before rS367927 because the old table remained valid until the filedesc became unused, but now it may be freed immediately if it's an unshared table in a single-threaded process, so it is no longer a good assumption to make. This fixes dup/dup2 invocations that grow the file table; in the initial report, it manifested as a kernel panic in devel/gmake's configure script. (cherry picked from commit f96078b8fe55c944f32c3c82ebb9c360bc155823) --- sys/kern/kern_descrip.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c index 1727532a8c95..bfa67c64f265 100644 --- a/sys/kern/kern_descrip.c +++ b/sys/kern/kern_descrip.c @@ -821,7 +821,7 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new) struct filedesc *fdp; struct filedescent *oldfde, *newfde; struct proc *p; - struct file *delfp; + struct file *delfp, *oldfp; u_long *oioctls, *nioctls; int error, maxfd; @@ -860,7 +860,8 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new) } oldfde = &fdp->fd_ofiles[old]; - if (!fhold(oldfde->fde_file)) + oldfp = oldfde->fde_file; + if (!fhold(oldfp)) goto unlock; /* @@ -872,14 +873,14 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new) case FDDUP_NORMAL: case FDDUP_FCNTL: if ((error = fdalloc(td, new, &new)) != 0) { - fdrop(oldfde->fde_file, td); + fdrop(oldfp, td); goto unlock; } break; case FDDUP_MUSTREPLACE: /* Target file descriptor must exist. */ if (fget_locked(fdp, new) == NULL) { - fdrop(oldfde->fde_file, td); + fdrop(oldfp, td); goto unlock; } break; @@ -900,7 +901,7 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new) PROC_UNLOCK(p); if (error != 0) { error = EMFILE; - fdrop(oldfde->fde_file, td); + fdrop(oldfp, td); goto unlock; } } @@ -916,6 +917,12 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new) KASSERT(old != new, ("new fd is same as old")); + /* Refetch oldfde because the table may have grown and old one freed. */ + oldfde = &fdp->fd_ofiles[old]; + KASSERT(oldfp == oldfde->fde_file, + ("fdt_ofiles shift from growth observed at fd %d", + old)); + newfde = &fdp->fd_ofiles[new]; delfp = newfde->fde_file; _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "[email protected]"
