On Tue, Apr 08, 2014 at 10:21:37AM +0200, Mateusz Guzik wrote:
> On Tue, Apr 08, 2014 at 03:12:22PM +0800, Zheng Liu wrote:
> >
> > +int __close_fds(struct files_struct *files, int lowfd)
> > +{
> > + struct file *file;
> > + struct fdtable *fdt;
> > + int fd;
> > +
> > + if (lowfd < 0)
> > + lowfd = 0;
> > + spin_lock(&files->file_lock);
> > + fdt = files_fdtable(files);
> > + if (lowfd >= fdt->max_fds)
> > + goto out_unlock;
> > + for (fd = lowfd; fd < fdt->max_fds; fd++) {
> > + file = fdt->fd[fd];
> > + if (!file)
> > + continue;
> > +
> > + rcu_assign_pointer(fdt->fd[fd], NULL);
> > + __clear_close_on_exec(fd, fdt);
> > + __put_unused_fd(files, fd);
> > + spin_unlock(&files->file_lock);
> > + filp_close(file, files);
> > + spin_lock(&files->file_lock);
> > + }
> > +
> > +out_unlock:
> > + spin_unlock(&files->file_lock);
> > + return 0;
> > +}
> > +
>
> Can't comment on the usefulness of the patch, but I would like to note:
>
> 1. fdt could be freed after you drop the lock, but you never reload the
> pointer, thus this looks like use-after-free
> 2. most of this looks like __close_fd, maybe some parts could be moved
> to an inline function so that code duplication is reduced?
Ah, yes, my fault. I will fix them in next version. Thanks for
pointing it out.
Regards,
- Zheng
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
