Fixes FD set freeing
authorBarret Rhoden <brho@cs.berkeley.edu>
Mon, 6 Oct 2014 21:21:58 +0000 (14:21 -0700)
committerBarret Rhoden <brho@cs.berkeley.edu>
Mon, 6 Oct 2014 22:32:06 +0000 (15:32 -0700)
If a process is DYING and the number of FDs was greater than the default, we
would free the blobs, but keep pointers to the blobs.  Later, a pip would try
to read those and would be looking at re-alloced, garbage memory.

kern/src/vfs.c

index b3945ea..e349138 100644 (file)
@@ -2360,11 +2360,24 @@ static int grow_fd_set(struct files_struct *open_files) {
 }
 
 /* Free the vfs fd set if necessary */
-static void free_fd_set(struct files_struct *open_files) {
+static void free_fd_set(struct files_struct *open_files)
+{
+       void *free_me;
        if (open_files->open_fds != (struct fd_set*)&open_files->open_fds_init) {
-               kfree(open_files->open_fds);
                assert(open_files->fd != open_files->fd_array);
-               kfree(open_files->fd);
+               /* need to reset the pointers to the internal addrs, in case we take a
+                * look while debugging.  0 them out, since they have old data.  our
+                * current versions should all be closed. */
+               memset(&open_files->open_fds_init, 0, sizeof(struct small_fd_set));
+               memset(&open_files->fd_array, 0, sizeof(open_files->fd_array));
+
+               free_me = open_files->open_fds;
+               open_files->open_fds = (struct fd_set*)&open_files->open_fds_init;
+               kfree(free_me);
+
+               free_me = open_files->fd;
+               open_files->fd = open_files->fd_array;
+               kfree(free_me);
        }
 }