On Tue, Dec 08, 2020 at 04:40:16PM +0100, Mateusz Guzik wrote: > I think this is a long standing bug against exiting processes. > > filedesc_out only increments *hold* count, but that does not prevent > fdescfree_fds from progressing and freeing everything without any > locks held.
I think it is fallout from r367777: before that, fdescfree() acquired and released the exclusive fd table lock between decrementing fdp->fd_refcount and calling fdescfree_fds(). This would serialize with the loop in kern_proc_fildesc_out(), which checks fdp->fd_refcount > 0 at the beginning of each iteration. Now there is no serialization and they can race. > A hotfix (for mfc) would add locking around it, but a long term fix > should wait for hold count to drain. By that point there can't be any > new arrivals due to: > > PROC_LOCK(p); > p->p_fd = NULL; > PROC_UNLOCK(p); > > I'll code both later today. _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
