This patchset fixes a large number of file descriptor race conditions.

    Pre-rfork code assumed inherent locking of a process's file descriptor
    array.  However, with the advent of rfork() the file descriptor table
    could be shared between processes.  This patch closes over a dozen
    serious race conditions related to one thread manipulating the table
    (e.g. closing or dup()ing a descriptor) while another is blocked in
    an open(), close(), fcntl(), read(), write(), etc...

PR: kern/11629
Discussed with: Alexander Viro <viro@math.psu.edu>

1 files changed, 5 insertions, 2 deletions

diff --git a/sys/nfsserver/nfs_syscalls.c b/sys/nfsserver/nfs_syscalls.c
index 1e0162f..83cc56b 100644
--- a/sys/nfsserver/nfs_syscalls.c
+++ b/sys/nfsserver/nfs_syscalls.c
@@ -194,7 +194,7 @@ nfssvc(p, uap)
 		error = copyin(uap->argp, (caddr_t)&nfsdarg, sizeof(nfsdarg));
 		if (error)
 			return (error);
-		error = getsock(p->p_fd, nfsdarg.sock, &fp);
+		error = holdsock(p->p_fd, nfsdarg.sock, &fp);
 		if (error)
 			return (error);
 		/*
@@ -205,10 +205,13 @@ nfssvc(p, uap)
 		else {
 			error = getsockaddr(&nam, nfsdarg.name,
 					    nfsdarg.namelen);
-			if (error)
+			if (error) {
+				fdrop(fp, p);
 				return (error);
+			}
 		}
 		error = nfssvc_addsock(fp, nam, p);
+		fdrop(fp, p);
 	} else {
 		error = copyin(uap->argp, (caddr_t)nsd, sizeof (*nsd));
 		if (error)