Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
* fcntl(F_DUPFD) causing apparent file descriptor table corruption
@ 2020-05-19 21:03 Thiago Macieira
  2020-05-19 21:45 ` Al Viro
  0 siblings, 1 reply; 5+ messages in thread
From: Thiago Macieira @ 2020-05-19 21:03 UTC (permalink / raw)
  To: viro; +Cc: linux-fsdevel

[-- Attachment #1: Type: text/plain, Size: 2732 bytes --]

Hello Al & others

While doing something I shouldn't be doing in my code, I realised that my code 
stopped responding. Turns out that after some F_DUPFD forcing the file 
descriptor preposterously high, the low file descriptors become EBADF. 
Something must be wrong in expand_files, but I don't have the expertise to 
debug it. I'm hoping someone else will.

I've attached a testcase for it. It needs to be run as root. It's not threaded 
and it reproduces the problem 100% of the time on my stable kernel (5.6.13). 
This is not a security issue, since it affects only the calling process 
itself.

On my machine, /proc/sys/fs/nr_open is 1073741816 and I have 32 GB of RAM (if 
the problem is related to memory consumption).

The problem only occurs when growing the table.

strace shows something like:
fcntl(2, F_DUPFD, 1024)                 = 1024
close(1024)                             = 0
fcntl(2, F_DUPFD, 2048)                 = 2048
close(2048)                             = 0
fcntl(2, F_DUPFD, 4096)                 = 4096
close(4096)                             = 0
fcntl(2, F_DUPFD, 8192)                 = 8192
close(8192)                             = 0
fcntl(2, F_DUPFD, 16384)                = 16384
close(16384)                            = 0
fcntl(2, F_DUPFD, 32768)                = 32768
close(32768)                            = 0
fcntl(2, F_DUPFD, 65536)                = 65536
close(65536)                            = 0
fcntl(2, F_DUPFD, 131072)               = 131072
close(131072)                           = 0
fcntl(2, F_DUPFD, 262144)               = 262144
close(262144)                           = 0
fcntl(2, F_DUPFD, 524288)               = 524288
close(524288)                           = 0
fcntl(2, F_DUPFD, 1048576)              = 1048576
close(1048576)                          = 0
fcntl(2, F_DUPFD, 2097152)              = 2097152
close(2097152)                          = 0
fcntl(2, F_DUPFD, 4194304)              = 4194304
close(4194304)                          = 0
fcntl(2, F_DUPFD, 8388608)              = 8388608
close(8388608)                          = 0
fcntl(2, F_DUPFD, 16777216)             = 16777216
close(16777216)                         = 0
fcntl(2, F_DUPFD, 33554432)             = 33554432
close(33554432)                         = 0
fcntl(2, F_DUPFD, 67108864)             = 67108864
close(67108864)                         = 0
fcntl(2, F_DUPFD, 134217728)            = 134217728
close(134217728)                        = 0
fcntl(2, F_DUPFD, 536870912)            = 536870912
close(536870912)                        = 0
write(1, "success\n", 8)                = EBADF
-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel System Software Products

[-- Attachment #2: dupfd-bug.c --]
[-- Type: text/plain, Size: 1419 bytes --]

#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/resource.h>
#include <unistd.h>

void run_test(int maxfd)
{
    int srcfd = STDERR_FILENO;
    int minfd = 1024;

    /* Linux kernel expands the file descriptor table exponentially, so
     * keep requesting a minimum file descriptor exponentially. */
    for ( ; minfd < maxfd; minfd *= 2) {
        int fd;
        do {
            fd = fcntl(srcfd, F_DUPFD, minfd);
        } while (fd == -1 && errno == EINTR);

        if (fd == -1) {
            if (errno != EMFILE)
                perror("fcntl");
            return;
        }
        close(fd);
    }
}

int main(int argc, char **argv)
{
    struct rlimit lim;
    if (argc > 1) {
        lim.rlim_max = lim.rlim_cur = strtol(argv[1], NULL, 0);
    } else {
        int n;
        FILE *f = fopen("/proc/sys/fs/nr_open","r");
        if (!f) {
            perror("fopen");
            return EXIT_FAILURE;
        }
        if (fscanf(f, "%d", &n) != 1)
            return EXIT_FAILURE;
        fclose(f);
        lim.rlim_max = lim.rlim_cur = n;
    }

    if (setrlimit(RLIMIT_NOFILE, &lim) == -1) {
        perror("setrlimit");
        return EXIT_FAILURE;
    }

    run_test(lim.rlim_cur);

    static const char msg[] = "success\n";
    int ok1 = write(STDOUT_FILENO, msg, strlen(msg)) == strlen(msg);
    return ok1 ? EXIT_SUCCESS : 255;
}

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-05-19 22:28 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-19 21:03 fcntl(F_DUPFD) causing apparent file descriptor table corruption Thiago Macieira
2020-05-19 21:45 ` Al Viro
2020-05-19 22:04   ` Al Viro
2020-05-19 22:18   ` Thiago Macieira
2020-05-19 22:28     ` Al Viro

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).