On Tue, Apr 08, 2014 at 03:12:22PM +0800, Zheng Liu wrote:
>
> +int __close_fds(struct files_struct *files, int lowfd)
> +{
> + struct file *file;
> + struct fdtable *fdt;
> + int fd;
> +
> + if (lowfd < 0)
> + lowfd = 0;
> + spin_lock(&files->file_lock);
> + fdt = files_fdtable(files);
> + if (lowfd >= fdt->max_fds)
> + goto out_unlock;
> + for (fd = lowfd; fd < fdt->max_fds; fd++) {
> + file = fdt->fd[fd];
> + if (!file)
> + continue;
> +
> + rcu_assign_pointer(fdt->fd[fd], NULL);
> + __clear_close_on_exec(fd, fdt);
> + __put_unused_fd(files, fd);
> + spin_unlock(&files->file_lock);
> + filp_close(file, files);
> + spin_lock(&files->file_lock);
> + }
> +
> +out_unlock:
> + spin_unlock(&files->file_lock);
> + return 0;
> +}
> +
Can't comment on the usefulness of the patch, but I would like to note:
1. fdt could be freed after you drop the lock, but you never reload the
pointer, thus this looks like use-after-free
2. most of this looks like __close_fd, maybe some parts could be moved
to an inline function so that code duplication is reduced?
--
Mateusz Guzik
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
