From owner-svn-src-all@FreeBSD.ORG Wed Feb 26 21:22:07 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C6BFDF2A; Wed, 26 Feb 2014 21:22:07 +0000 (UTC) Received: from mail-qc0-x233.google.com (mail-qc0-x233.google.com [IPv6:2607:f8b0:400d:c01::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 334FD1D53; Wed, 26 Feb 2014 21:22:07 +0000 (UTC) Received: by mail-qc0-f179.google.com with SMTP id r5so2224822qcx.38 for ; Wed, 26 Feb 2014 13:22:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=mYtHy65xIqcP3Ip2nZMQyqQiDEQ/9mi3OKa/fTOuZt0=; b=lS8bqLglwyF4HhMnFywz+cEpZfodR2deVTzmcsVYBhoeGVJUnzxlB0Bdahf67RoA1s 2ToMn//Ujid8Kkd3fhPPnxrOiGZRxJfIow9MoCgQ+QR8ht/+mbZMM9jkfYYDlvG4lFAW 0za3fyUzUJVqMc+vr/WXkFFa8SxA5653aP36su8Cf5gvqM/LHQhLksgmeSix0OB1LW3G 6EGzOYeUKpQucDw8MRbpcd2Yg7TrK1QFdCKZM45GXnJKdPI7VXLw98ywcts6BofKN4Mg VWNDLUVbNooFoB8A6FBxnVpObJar5q+Y25KBReaJurYC5rIIye1Z6pS+uh2FfYlvZbt+ k8yA== X-Received: by 10.140.108.138 with SMTP id j10mr2430093qgf.7.1393449726287; Wed, 26 Feb 2014 13:22:06 -0800 (PST) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id d7sm6369173qad.10.2014.02.26.13.22.04 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Wed, 26 Feb 2014 13:22:05 -0800 (PST) Date: Wed, 26 Feb 2014 22:22:00 +0100 From: Mateusz Guzik To: John Baldwin Subject: Re: svn commit: r262309 - head/sys/kern Message-ID: <20140226212200.GB329@dft-labs.eu> References: <201402212229.s1LMT9BF093587@svn.freebsd.org> <201402251308.43875.jhb@freebsd.org> <20140226192348.GA329@dft-labs.eu> <201402261529.31942.jhb@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <201402261529.31942.jhb@freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Mateusz Guzik X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Feb 2014 21:22:07 -0000 On Wed, Feb 26, 2014 at 03:29:31PM -0500, John Baldwin wrote: > On Wednesday, February 26, 2014 2:23:48 pm Mateusz Guzik wrote: > > On Tue, Feb 25, 2014 at 01:08:43PM -0500, John Baldwin wrote: > > > On Friday, February 21, 2014 5:29:09 pm Mateusz Guzik wrote: > > > > Author: mjg > > > > Date: Fri Feb 21 22:29:09 2014 > > > > New Revision: 262309 > > > > URL: http://svnweb.freebsd.org/changeset/base/262309 > > > > > > > > Log: > > > > Fix a race between kern_proc_{o,}filedesc_out and fdescfree leading > > > > to use-after-free. > > > > > > > > fdescfree proceeds to free file pointers once fd_refcnt reaches 0, but > > > > kern_proc_{o,}filedesc_out only checked for hold count. > > > > > > Can you describe the race in more detail? The kern_* routines hold > > > FILEDESC_SLOCK() while they read the file which should prevent > > > fdescfree() from free'ing any files. Note that fdfree() (called > > > under FILEDESC_XLOCK() clears the file pointer to NULL via the > > > bzero(), so the sysctl handler should only see non-NULL pointers > > > for files that are not yet free'd. > > > > > > > oops, you are right. I somehow misread the code. > > > > Still, the change is harmless and matches other loop which iterates the > > table (see sysctl_kern_file), so I think it can stay. > > Actually, I think that should be undone. That was a hacky workaround for > a long time ago when the FILEDESC locking wasn't a simple sx lock but was > a mtx + sleep lock combo thing that had fast and slow variants. > > > Other thing is that with that change in place we can get rid of > > XLOCK/XUNLOCK around fdfree in fdescfree. > > I would rather remove the fd_refcnt checks, or do them differently (not > in the loop). Right now a reader might be confused to think that > fd_refcnt can change within the loop when it cannot and then worry about > unhandled races that don't exist (i.e. if fd_refcnt can change within > the loop, what prevents the individual file objects from being freed out > from under the loop?) > But it can change. kern_proc_filedesc_out calls export_fd_to_sb which drops the lock for each fp and sysctl_kern_proc_ofiledesc drops the lock when dealing with vnodes. As far as I can say all this is safe - either data is refed (vref on a vnode) or the lock is still held while the data is being read, so by the time fp can be freed it is no longer used. > I originally thought just that when I saw this commit and was going to > note that your change was not a true fix and still left the race open > until I found upon further investigation that your change was just > noise since there wasn't a race to begin with. In the interest of > clarity, please either remove the fd_refcnt checks from these loops > (including sysctl_kern_file) or fix all three of them to do a single > check after the SLOCK() but before the for loop itself. My original misread of the code was that fdescfree can proceed to free files and functions I modified would encounter a stale fp once lock was taken. A side effect of my change is that if we happen to catch exiting process, we may end up giving up instead of checking for mostly now-null pointers. -- Mateusz Guzik