From 7efa697d80b8d30abf41496ef476c4b372ad649b Mon Sep 17 00:00:00 2001 From: Konstantin Belousov Date: Tue, 30 Dec 2008 12:51:56 +0000 Subject: [PATCH] Clear the pointers to the file in the struct filedesc before file is closed in fdfree. Otherwise, sysctl_kern_proc_filedesc may dereference stale struct file * values. Reported and tested by: pho MFC after: 1 month --- sys/kern/kern_descrip.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c index c9814112b6af..648d27e8df8f 100644 --- a/sys/kern/kern_descrip.c +++ b/sys/kern/kern_descrip.c @@ -1703,14 +1703,16 @@ fdfree(struct thread *td) FILEDESC_XUNLOCK(fdp); if (i > 0) return; - /* - * We are the last reference to the structure, so we can - * safely assume it will not change out from under us. - */ + fpp = fdp->fd_ofiles; for (i = fdp->fd_lastfile; i-- >= 0; fpp++) { - if (*fpp) - (void) closef(*fpp, td); + if (*fpp) { + FILEDESC_XLOCK(fdp); + fp = *fpp; + *fpp = NULL; + FILEDESC_XUNLOCK(fdp); + (void) closef(fp, td); + } } FILEDESC_XLOCK(fdp);