This patchset fixes a large number of file descriptor race conditions.

    Pre-rfork code assumed inherent locking of a process's file descriptor
    array.  However, with the advent of rfork() the file descriptor table
    could be shared between processes.  This patch closes over a dozen
    serious race conditions related to one thread manipulating the table
    (e.g. closing or dup()ing a descriptor) while another is blocked in
    an open(), close(), fcntl(), read(), write(), etc...

PR: kern/11629
Discussed with: Alexander Viro <viro@math.psu.edu>

1 files changed, 7 insertions, 2 deletions

diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c
index 7600ffd..4c505e7 100644
--- a/sys/kern/sys_pipe.c
+++ b/sys/kern/sys_pipe.c
@@ -185,6 +185,7 @@ pipe(p, uap)
 	error = falloc(p, &rf, &fd);
 	if (error)
 		goto free2;
+	fhold(rf);
 	p->p_retval[0] = fd;
 	rf->f_flag = FREAD | FWRITE;
 	rf->f_type = DTYPE_PIPE;
@@ -201,11 +202,15 @@ pipe(p, uap)
 
 	rpipe->pipe_peer = wpipe;
 	wpipe->pipe_peer = rpipe;
+	fdrop(rf, p);
 
 	return (0);
 free3:
-	fdp->fd_ofiles[p->p_retval[0]] = 0;
-	ffree(rf);
+	if (fdp->fd_ofiles[p->p_retval[0]] == rf) {
+		fdp->fd_ofiles[p->p_retval[0]] = NULL;
+		fdrop(rf, p);
+	}
+	fdrop(rf, p);
 free2:
 	(void)pipeclose(wpipe);
 	(void)pipeclose(rpipe);