From owner-svn-src-all@freebsd.org Wed Dec 2 20:30:04 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43838A3F568; Wed, 2 Dec 2015 20:30:04 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CBC681568; Wed, 2 Dec 2015 20:30:03 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: by wmec201 with SMTP id c201so74675695wme.1; Wed, 02 Dec 2015 12:30:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=aE7Qo+zLhoycIy78PmHR07bRE/bTOa5GbTfmc5xBpSk=; b=SsQNEQ9HIJbCWvgmtNg95AopBctGT0h1fKmIlg4pwU1rM3G1tNqCLDrcYVwlKVaVBc 8JLOrsZtnLARboYOjC3VRLl71R6QiVwUf/l3FNgoeumK66yKkACB9p8ToeuvWAk0+9nn e4VVCxQtRnpbAUKZY4KS4I/WRRo4Ww3aD0VCfRkHwbaqzyPYUin41gveSGtt3/WKirIs MePn+BklflKueKQDeEr2vBekv+WYaqBnid9yFyA7i3N/vEhudNE0kZL2UsfeQ13bpp25 ezTmdIEY7xlN2ctbcmAMXrS2XXKDWJ3hx4XEmWTDGFvWVLpHiL2TsLSYTsJM8piH1Tai qmHQ== X-Received: by 10.28.63.204 with SMTP id m195mr7813173wma.11.1449088201353; Wed, 02 Dec 2015 12:30:01 -0800 (PST) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by smtp.gmail.com with ESMTPSA id dl8sm4332159wjb.29.2015.12.02.12.30.00 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Wed, 02 Dec 2015 12:30:00 -0800 (PST) Date: Wed, 2 Dec 2015 21:29:58 +0100 From: Mateusz Guzik To: Hans Petter Selasky Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r291481 - head/sys/compat/linuxkpi/common/include/linux Message-ID: <20151202202958.GA30250@dft-labs.eu> References: <201511300924.tAU9OC7o049788@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <201511300924.tAU9OC7o049788@repo.freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 20:30:04 -0000 On Mon, Nov 30, 2015 at 09:24:12AM +0000, Hans Petter Selasky wrote: > Author: hselasky > Date: Mon Nov 30 09:24:12 2015 > New Revision: 291481 > URL: https://svnweb.freebsd.org/changeset/base/291481 > > Log: > Add more functions and types to the LinuxKPI. > > MFC after: 1 week > Sponsored by: Mellanox Technologies > > Modified: > head/sys/compat/linuxkpi/common/include/linux/file.h > head/sys/compat/linuxkpi/common/include/linux/workqueue.h > > Modified: head/sys/compat/linuxkpi/common/include/linux/file.h > ============================================================================== > --- head/sys/compat/linuxkpi/common/include/linux/file.h Mon Nov 30 09:13:04 2015 (r291480) > +++ head/sys/compat/linuxkpi/common/include/linux/file.h Mon Nov 30 09:24:12 2015 (r291481) > @@ -2,7 +2,7 @@ > * Copyright (c) 2010 Isilon Systems, Inc. > * Copyright (c) 2010 iX Systems, Inc. > * Copyright (c) 2010 Panasas, Inc. > - * Copyright (c) 2013 Mellanox Technologies, Ltd. > + * Copyright (c) 2013-2015 Mellanox Technologies, Ltd. > * All rights reserved. > * > * Redistribution and use in source and binary forms, with or without > @@ -125,6 +125,21 @@ get_unused_fd(void) > return fd; > } > > +static inline int > +get_unused_fd_flags(int flags) > +{ > + struct file *file; > + int error; > + int fd; > + > + error = falloc(curthread, &file, &fd, flags); > + if (error) > + return -error; > + /* drop the extra reference */ > + fdrop(file, curthread); > + return fd; > +} > + This does not look right. AFAIR Linux drivers are not going to install fds into kernel threads. So this would be used for a userspace thread, but then it would completely insecure. Linux model is to reserve a slot in the fd table, obtain a 'file' object and install it as the last step. FreeBSD installs the file right away, but this means an extra reference has to be held in case something else using the table closes the fd. As such, this fdrop can lead to a use-after-free as the file can be freed from this poin. I'm afraid there is no way around patching improted consumers. -- Mateusz Guzik