Patch to increase the scope of the locked critical path in fget_light to include the conditional where there is only one reference to the passed file_struct. Currently there is no protection against someone modifying that reference count after it has been read in fget_light and falling into a code path where the fd array is modified. The result is a race condition that leads to a corrupted fd table and potential oopses. This patch corrects that by enforcing the locking protocol that is used by all other accessors of the fd table on the 1 reference case in fget_light. Smoke tested by me, with no failures. Signed-off-by: Neil Horman <[email protected]> file_table.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) --- linux-2.6.git/fs/file_table.c.racefix 2005-05-20 07:32:12.000000000 -0400 +++ linux-2.6.git/fs/file_table.c 2005-05-20 08:53:03.000000000 -0400 @@ -174,17 +174,17 @@ struct file fastcall *fget_light(unsigne struct files_struct *files = current->files; *fput_needed = 0; + spin_lock(&files->file_lock); if (likely((atomic_read(&files->count) == 1))) { file = fcheck_files(files, fd); } else { - spin_lock(&files->file_lock); file = fcheck_files(files, fd); if (file) { get_file(file); *fput_needed = 1; } - spin_unlock(&files->file_lock); } + spin_unlock(&files->file_lock); return file; } -- /*************************************************** *Neil Horman *Software Engineer *Red Hat, Inc. *[email protected] *gpg keyid: 1024D / 0x92A74FA1 *http://pgp.mit.edu ***************************************************/
Attachment:
pgp3Qfe4AKQqb.pgp
Description: PGP signature
- Follow-Ups:
- Prev by Date: Re: PROBLEM: kmem_cache_create: duplicate cache fat_cache
- Next by Date: vmap() problem, possible bug?
- Previous by thread: [PATCH 1 of 4] ima: related TPM device driver interal kernel interface
- Next by thread: Re: [Patch] vfs: increase scope of critical locked path in fget_light to avoid race
- Index(es):
 |