[Patch] vfs: increase scope of critical locked path in fget_light to avoid race
From: Neil Horman
Date: Fri May 20 2005 - 08:25:20 EST
Patch to increase the scope of the locked critical path in fget_light to include
the conditional where there is only one reference to the passed file_struct.
Currently there is no protection against someone modifying that reference count
after it has been read in fget_light and falling into a code path where the fd
array is modified. The result is a race condition that leads to a corrupted fd
table and potential oopses. This patch corrects that by enforcing the locking
protocol that is used by all other accessors of the fd table on the 1 reference
case in fget_light. Smoke tested by me, with no failures.
Signed-off-by: Neil Horman <nhorman@xxxxxxxxxx>
file_table.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
--- linux-2.6.git/fs/file_table.c.racefix 2005-05-20 07:32:12.000000000 -0400
+++ linux-2.6.git/fs/file_table.c 2005-05-20 08:53:03.000000000 -0400
@@ -174,17 +174,17 @@ struct file fastcall *fget_light(unsigne
struct files_struct *files = current->files;
*fput_needed = 0;
+ spin_lock(&files->file_lock);
if (likely((atomic_read(&files->count) == 1))) {
file = fcheck_files(files, fd);
} else {
- spin_lock(&files->file_lock);
file = fcheck_files(files, fd);
if (file) {
get_file(file);
*fput_needed = 1;
}
- spin_unlock(&files->file_lock);
}
+ spin_unlock(&files->file_lock);
return file;
}
--
/***************************************************
*Neil Horman
*Software Engineer
*Red Hat, Inc.
*nhorman@xxxxxxxxxx
*gpg keyid: 1024D / 0x92A74FA1
*http://pgp.mit.edu
***************************************************/
Attachment:
pgp00000.pgp
Description: PGP signature