From 15a44d16ca10bf52da55462560c345940cd19b38 Mon Sep 17 00:00:00 2001
From: dillon <dillon@FreeBSD.org>
Date: Sat, 18 Nov 2000 21:01:04 +0000
Subject:     This patchset fixes a large number of file descriptor race
 conditions.     Pre-rfork code assumed inherent locking of a process's file
 descriptor     array.  However, with the advent of rfork() the file
 descriptor table     could be shared between processes.  This patch closes
 over a dozen     serious race conditions related to one thread manipulating
 the table     (e.g. closing or dup()ing a descriptor) while another is
 blocked in     an open(), close(), fcntl(), read(), write(), etc...

PR: kern/11629
Discussed with: Alexander Viro <viro@math.psu.edu>
---
 sys/nfs/nfs_syscalls.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'sys/nfs')

diff --git a/sys/nfs/nfs_syscalls.c b/sys/nfs/nfs_syscalls.c
index 1e0162f..83cc56b 100644
--- a/sys/nfs/nfs_syscalls.c
+++ b/sys/nfs/nfs_syscalls.c
@@ -194,7 +194,7 @@ nfssvc(p, uap)
 		error = copyin(uap->argp, (caddr_t)&nfsdarg, sizeof(nfsdarg));
 		if (error)
 			return (error);
-		error = getsock(p->p_fd, nfsdarg.sock, &fp);
+		error = holdsock(p->p_fd, nfsdarg.sock, &fp);
 		if (error)
 			return (error);
 		/*
@@ -205,10 +205,13 @@ nfssvc(p, uap)
 		else {
 			error = getsockaddr(&nam, nfsdarg.name,
 					    nfsdarg.namelen);
-			if (error)
+			if (error) {
+				fdrop(fp, p);
 				return (error);
+			}
 		}
 		error = nfssvc_addsock(fp, nam, p);
+		fdrop(fp, p);
 	} else {
 		error = copyin(uap->argp, (caddr_t)nsd, sizeof (*nsd));
 		if (error)
-- 
cgit v1.1