I found a race condition in kern_descrip.c, the race is in function falloc(),
it opens a race window at line 1147:
FILEDESC_UNLOCK(p->p_fd);
sx_xlock(&filelist_lock);
FILEDESC_LOCK(p->p_fd);
fix:
--- kern_descrip.c Tue Jul 16 12:29:44 2002
+++ kern_descrip.c.new Tue Jul 16 12:26:50 2002
@@ -1107,6 +1107,7 @@
register struct file *fp, *fq;
int error, i;
+retry:
sx_xlock(&filelist_lock);
if (nfiles >= maxfiles) {
sx_xunlock(&filelist_lock);
@@ -1151,6 +1152,13 @@
LIST_INSERT_AFTER(fq, fp, f_list);
} else {
LIST_INSERT_HEAD(&filehead, fp, f_list);
+ }
+ if (p->p_fd->fd_ofiles[i] != NULL) {
+ fp->f_count = 0;
+ FILEDESC_UNLOCK(p->p_fd);
+ sx_xunlock(&filelist_lock);
+ ffree(fp);
+ goto retry;
}
p->p_fd->fd_ofiles[i] = fp;
FILEDESC_UNLOCK(p->p_fd);
---
David Xu
�I칻�&ޱݙݢj�H:+�칻�&~n\ޞا�ܨ~^,j�
