From: Thomas Veerman Date: Fri, 13 Apr 2012 09:08:39 +0000 (+0000) Subject: VFS: fix filp reuse race X-Git-Tag: v3.2.1~591 X-Git-Url: http://zhaoyanbai.com/repos/man.dnssec-keygen.html?a=commitdiff_plain;h=26ec619a3089cb3563f4030119f36a6ae244f469;p=minix.git VFS: fix filp reuse race Pipes consist of two filps (read filp and write filp) and a shared vnode. When the writer leaves the filp reference count drops to zero and subsequent find_filp()s should not find the filp when a reader looks for it and the reader gets EOF. However, the pipe() system call tries to find two filps, marks them in use, and only after a successful node creation on PFS, overwrites the shared vnode with the new vnode. Consequently, this leaves a small window where a just closed 'pipe write filp' gets reused and marked as present, before becoming the actual new 'pipe write filp' for a new pipe. A reader for the old pipe will think a writer is present and wait for that writer to write something or to leave; both actions should revive the suspended reader. This will never happen and the reader will be stuck forever. --- diff --git a/servers/vfs/filedes.c b/servers/vfs/filedes.c index b681ee8f4..a3a820a0a 100644 --- a/servers/vfs/filedes.c +++ b/servers/vfs/filedes.c @@ -586,6 +586,8 @@ struct filp *f; unlock_vnode(f->filp_vno); put_vnode(f->filp_vno); + f->filp_vno = NULL; + f->filp_mode = FILP_CLOSED; } else if (f->filp_count < 0) { panic("VFS: invalid filp count: %d ino %d/%d", f->filp_count, vp->v_dev, vp->v_inode_nr);