* bad race in select (both SMP and UP) fixed. Old code does
fcheck(fd) and might block before incrementing f_count; to trigger
that one needs a select() on fdset with >170 members. Exploitable
(clone() with COPY_FILES, select() in one thread, close() in
another + right timing). Result being the dangling pointer to
struct file. With all usual consequences.
* race in dup2() fixed. (dup2(fd1,fd2) in one thread, close(fd1) in
another, right timing and you've got both fd1 and fd2 closed)
* bad race in do_load_aout_binary() fixed (more or less the same -
exec() vs. close() instead of select() vs. close()).
* fget(), get_unused_fd(), put_unused_fd(), sys_dup(), sys_dup2() -
SMP-safe. Big lock shifting will follow - there's more to do here.
* ->files->fd handling became SMP-safe (or so I hope ;-). It will
need more cleanup and quite possibly some fixes, but the main
part is there. Big mess remains in arch/* - it will be the next
thing to fix. I didn't include large fd array support, but it
should be easy to do now.
* fput() made inline (thanks, Alexey). It still requires the big
* AF_UNIX handling of in-flight count fixed (ditto).
So there... I'm not posting the thing to l-k - 66K is over the top.
Comments are more than welcome, indeed. Patch is against 2.3.9-pre1 and
it's *dangerous* - it may open new races somewhere. You've been warned.
It should compile, but that's about all I can say. To be continued...
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to firstname.lastname@example.org
Please read the FAQ at http://www.tux.org/lkml/