Re: Adding truncate/ftruncate length argument checks

[David Laight <david%l8s.co.uk@localhost>]

On Wed, Feb 26, 2014 at 10:55:52PM +0100, Nicolas Joly wrote:
> > l_proc->p_rlimit may not be (if it is shared with another process,
> >   and an update by another process/thread causes the pointer to change,
> >   and the other owners all exit ...)
> 
> I don't think another process will cause any problem. Before any
> update, it will have its own private copy, leaving the previous shared
> version unmodified.
> 
> Regarding an other thread ... The race does indeed exists, but only
> once in process life, for the first limit write access.

One copy of the structure is shared between all the lwps in a process.
It can also be shared with the parent and children.

If another lwp in the same process tries to edit a shared (by more than
one process) structure the the code could read the old copy after
the ref count has been decreased. If you are then really unlucky the
process it is shared with will exit - and the data will be freed.
It might (in general get unmapped (and fault) or be reallocated,
modified and then garbage read.

Some kind of rcu in the 'free' path would solve the latter.

        David

-- 
David Laight: david%l8s.co.uk@localhost