From owner-svn-src-head@freebsd.org Wed Jan 13 14:02:08 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B559AA8199F; Wed, 13 Jan 2016 14:02:08 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6C9FA17E7; Wed, 13 Jan 2016 14:02:08 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u0DE27Wu079126; Wed, 13 Jan 2016 14:02:07 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u0DE271O079125; Wed, 13 Jan 2016 14:02:07 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201601131402.u0DE271O079125@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Wed, 13 Jan 2016 14:02:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r293826 - head/sys/security/audit X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jan 2016 14:02:08 -0000 Author: kib Date: Wed Jan 13 14:02:07 2016 New Revision: 293826 URL: https://svnweb.freebsd.org/changeset/base/293826 Log: Move the funsetown(9) call from audit_pipe_close() to cdevpriv destructor. As result, close method becomes trivial and removed. Final cdevsw close method might be called without file context (e.g. in vn_open_vnode() if the vnode is reclaimed meantime), which leaves ap_sigio registered for notification, despite cdevpriv destructor frees the memory later. Call destructor instead of doing a cleanup inline, for devfs_set_cdevpriv() failure in open. This adds missed funsetown(9) call and locks ap to satisfy audit_pipe_free() invariants. Reported and tested by: pho (previous version) Sponsored by: The FreeBSD Foundation MFC after: 1 week Modified: head/sys/security/audit/audit_pipe.c Modified: head/sys/security/audit/audit_pipe.c ============================================================================== --- head/sys/security/audit/audit_pipe.c Wed Jan 13 12:01:28 2016 (r293825) +++ head/sys/security/audit/audit_pipe.c Wed Jan 13 14:02:07 2016 (r293826) @@ -223,7 +223,6 @@ static struct cdev *audit_pipe_dev; * Special device methods and definition. */ static d_open_t audit_pipe_open; -static d_close_t audit_pipe_close; static d_read_t audit_pipe_read; static d_ioctl_t audit_pipe_ioctl; static d_poll_t audit_pipe_poll; @@ -232,7 +231,6 @@ static d_kqfilter_t audit_pipe_kqfilter; static struct cdevsw audit_pipe_cdevsw = { .d_version = D_VERSION, .d_open = audit_pipe_open, - .d_close = audit_pipe_close, .d_read = audit_pipe_read, .d_ioctl = audit_pipe_ioctl, .d_poll = audit_pipe_poll, @@ -658,6 +656,7 @@ audit_pipe_dtor(void *arg) struct audit_pipe *ap; ap = arg; + funsetown(&ap->ap_sigio); AUDIT_PIPE_LIST_WLOCK(); AUDIT_PIPE_LOCK(ap); audit_pipe_free(ap); @@ -676,33 +675,13 @@ audit_pipe_open(struct cdev *dev, int of int error; ap = audit_pipe_alloc(); - if (ap == NULL) { + if (ap == NULL) return (ENOMEM); - } fsetown(td->td_proc->p_pid, &ap->ap_sigio); error = devfs_set_cdevpriv(ap, audit_pipe_dtor); - if (error != 0) { - AUDIT_PIPE_LIST_WLOCK(); - audit_pipe_free(ap); - AUDIT_PIPE_LIST_WUNLOCK(); - } - return (0); -} - -/* - * Close audit pipe, tear down all records, etc. - */ -static int -audit_pipe_close(struct cdev *dev, int fflag, int devtype, struct thread *td) -{ - struct audit_pipe *ap; - int error; - - error = devfs_get_cdevpriv((void **)&ap); if (error != 0) - return (error); - funsetown(&ap->ap_sigio); - return (0); + audit_pipe_dtor(ap); + return (error); } /*