CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/04/27 07:06:14
Modified files:
usr.sbin/vmd : config.c
Log message:
vmd(8): Avoid reuse of dead filedescriptor
When the vmd process sends a kernfd to the vmm process, that
descriptor will be closed in msgbuf_write() after a successful
sendmsg(). However, that descriptor number is still stored in
vm->vm_kernel.
When termination of one VM is interleaved with lauch of another VM,
that number might be reassigned to a _new_ kernfd of the launching
VM. Now we have a race:
- the vmd process queues an imsg with that descriptor in config_setvm()
(for the launching VM)
- the vmd process calls in vm_stop() close() on that descriptor
(for the terminating VM)
- when the vmd process calls proc_dispatch() imsgbuf_send() for
imsg queued in config_setvm(), sendmsg() will return EBADF (the
descriptor in the control message is invalid)
By dupping kernfd we can avoid this race.
ok dv@
