Subject: Re: race in select() ?
To: David Laight <david@l8s.co.uk>
From: Charles M. Hannum <abuse@spamalicious.com>
List: tech-kern
Date: 10/09/2003 17:17:48
On Thursday 09 October 2003 05:01 pm, David Laight wrote:
> On Thu, Oct 09, 2003 at 05:20:10PM +0200, Manuel Bouyer wrote:
> > On Thu, Oct 09, 2003 at 02:13:51PM +0100, David Laight wrote:
> > > I presume inetd takes the fd out of its select list until the
> > > rpc.rstatd process exits.  Otherwise there would be a nasty loop.
> >
> > Yes it does.
>
> There is a timing bug in inetd itself.  rev 1.76 reads:
>
> 	readable = allsock;
> 	if ((n = select(maxsock + 1, &readable, (fd_set *)0,
> 		...
>
> and reapchild does:
> 	FD_SET(sep->se_fd, &allsock);
>
> So if a child exits after the copy is made, but before the system call
> the select won't be looking for the correct fdset.
> If reapchild set the bit in readable then there could be a false
> positive if the SIGCHLD happened in the system call return path,
> that might be easier to check though (eg detect it happening, and
> call select again).

There was at least one version of inetd that kept a pipe open to itself, and 
would write bytes to itself asynchronously to make select() return and loop 
around again.