Clear the pointers to the file in the struct filedesc before file is closed

in fdfree. Otherwise, sysctl_kern_proc_filedesc may dereference stale struct file * values. Reported and tested by: pho MFC after: 1 month
svn path=/head/; revision=186601
2008-12-30 12:51:56 +00:00 · 2008-12-30 12:51:56 +00:00 · 7efa697d80 · 2020-12-20 02:59:44 +00:00
commit 7efa697d80
parent 83e73926ad
1 changed files with 8 additions and 6 deletions
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@ -1703,14 +1703,16 @@ fdfree(struct thread *td)
 	FILEDESC_XUNLOCK(fdp);
 	if (i > 0)
 		return;
-	/*
-	 * We are the last reference to the structure, so we can
-	 * safely assume it will not change out from under us.
-	 */
+
 	fpp = fdp->fd_ofiles;
 	for (i = fdp->fd_lastfile; i-- >= 0; fpp++) {
-		if (*fpp)
-			(void) closef(*fpp, td);
+		if (*fpp) {
+			FILEDESC_XLOCK(fdp);
+			fp = *fpp;
+			*fpp = NULL;
+			FILEDESC_XUNLOCK(fdp);
+			(void) closef(fp, td);
+		}
 	}
 	FILEDESC_XLOCK(fdp);