From nobody Thu Nov 20 13:31:39 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dBzlb3Hqsz6HP8N for ; Thu, 20 Nov 2025 13:31:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dBzlb2DJzz44b5 for ; Thu, 20 Nov 2025 13:31:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1763645499; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FBVqRVbM25rwL9XWgxP0fg+Pwpy89G4Ro2NTXKhiDdA=; b=v8ZCkLOs7Wp52Q705Lf9NBt8C1behzpENiuZzdrfrcll2paKUMRIax0owNKB5Q0ziy6u+u lb4n7hbElD0r3AwqAQXCywpRSAH+j5Xd/yyHBGYpEjDmwKPTMJRe944Mxu0gtkjLjiFo17 0w93NhIbs5KvWQ1HnUWyuckFFwfY/Vd6h+k307YOgmo8B6AUmwpUPLpOzDGQydmrTKoFwm P0gGNR9psFsf95AtJa6iEwODXO3RU3VExboJC6cqUwARtLx77OgC4q5YU/SFh19nN0P0iO kFI7oJsfW15dweICDsv4XY2YKG3WY0pDmU60TOL9ZpTnLINl+fxPFNpS2bs16A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1763645499; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FBVqRVbM25rwL9XWgxP0fg+Pwpy89G4Ro2NTXKhiDdA=; b=umgAbA/O8Rn8CeYCLiazW8aN09iOlI16w9dLIQWZynhqt3OVmVBINgWNWMZyzPyt7Y/yyu zvZO8+K0zA/dBMjDv6wMGU1XDuK0isc1zKCjqDIgv+4+/oTLHOYDw/BuMQnxE4dTKrbTk3 miOmRjv80DipyEtqp8ABseQ3Nekr6NC5qYCwTINlT1dhjeiFnM/cv3Pqdy2KZOFACl6Oc1 APHosmQWtcDWl2JpfkbgMRZCi2j8EpmiwJnklIzVQvaodOzzm9oKtM70cVIPNUK1nTvxtp OBgoXbrJOROn/tCVZ6p27PimqAOqHg0uJO9n44vbnK/WCrBex/dvDX/ibcx+7g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1763645499; a=rsa-sha256; cv=none; b=yzbTh3hA+YhN2uX+l3j/PdsLW9dGx3SklsBMrT4HaNkXJzcLBKapeBfu43wNTh1UxYmYLo kIMtodbdbh/bEvXBpSHmId7iOtlH7nPCWDimq2HZS0iJlSbicMMxfpkOHS63j30eGBRFOJ fIL/SkHpjot1avUsChBjITnXiOyOe9A/tpVoRH7+aWLxSvcg0usDgMWUY83uLw2TOW9MTd o//Dqz+jklaQn6IPqxf4r+kHaGQAjZJ3KmZ7XbZCeMkB+mnJ60H7T40PN26mU5GsFwpUFd 7W7EOx+yh4H9nyJ3lV/aL8HZFZYYi5aYXNGpIA+N+fmIXtD7xvw8ixL4LFHRCw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dBzlb1p1GzCKV for ; Thu, 20 Nov 2025 13:31:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2cd91 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 20 Nov 2025 13:31:39 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Christos Margiolis Subject: git: d26b3c9b3415 - stable/15 - cuse: Fix cdevpriv bugs in cuse_client_open() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: christos X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: d26b3c9b341522090885ec362aa5cd1f90eb57c9 Auto-Submitted: auto-generated Date: Thu, 20 Nov 2025 13:31:39 +0000 Message-Id: <691f183b.2cd91.71b71dca@gitrepo.freebsd.org> The branch stable/15 has been updated by christos: URL: https://cgit.FreeBSD.org/src/commit/?id=d26b3c9b341522090885ec362aa5cd1f90eb57c9 commit d26b3c9b341522090885ec362aa5cd1f90eb57c9 Author: Christos Margiolis AuthorDate: 2025-11-13 12:11:06 +0000 Commit: Christos Margiolis CommitDate: 2025-11-20 13:28:14 +0000 cuse: Fix cdevpriv bugs in cuse_client_open() If devfs_set_cdevpriv() fails, we will panic when we enter the cuse_client_free() callback, for a number of reasons: - pcc->server is not yet assigned, so we'll use a NULL pointer. - pcc has not yet been added to the pcs->hcli TAILQ, but we'll try to remove it. - pccmd->sx and pccmd->cv are not yet initializated, but we'll try to destroy them. Even if we'd get past all these somehow, we'd still get two errors in the devfs_set_cdevpriv() failure block: - We'll unref the server twice, once in cuse_client_free(), and again in cuse_client_open(). - A double-free panic, since we'd be trying to free(pcc), which has already been freed in cuse_client_free(). Fix all those issues. While here, also get rid of some unnecessary devfs_clear_cdevpriv(). Sponsored by: The FreeBSD Foundation MFC after: 1 week Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D53708 (cherry picked from commit 634e578ac7b0a03ae25427c723c0da27e894a340) --- sys/fs/cuse/cuse.c | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/sys/fs/cuse/cuse.c b/sys/fs/cuse/cuse.c index b2524324584a..b914b2d5017c 100644 --- a/sys/fs/cuse/cuse.c +++ b/sys/fs/cuse/cuse.c @@ -1516,13 +1516,6 @@ cuse_client_open(struct cdev *dev, int fflags, int devtype, struct thread *td) } pcc = malloc(sizeof(*pcc), M_CUSE, M_WAITOK | M_ZERO); - if (devfs_set_cdevpriv(pcc, &cuse_client_free)) { - printf("Cuse: Cannot set cdevpriv.\n"); - /* drop reference on server */ - cuse_server_unref(pcs); - free(pcc, M_CUSE); - return (ENOMEM); - } pcc->fflags = fflags; pcc->server_dev = pcsd; pcc->server = pcs; @@ -1553,10 +1546,12 @@ cuse_client_open(struct cdev *dev, int fflags, int devtype, struct thread *td) } cuse_server_unlock(pcs); - if (error) { - devfs_clear_cdevpriv(); /* XXX bugfix */ + if (error != 0) return (error); - } + + if ((error = devfs_set_cdevpriv(pcc, &cuse_client_free)) != 0) + return (error); + pccmd = &pcc->cmds[CUSE_CMD_OPEN]; cuse_cmd_lock(pccmd); @@ -1575,9 +1570,6 @@ cuse_client_open(struct cdev *dev, int fflags, int devtype, struct thread *td) cuse_cmd_unlock(pccmd); - if (error) - devfs_clear_cdevpriv(); /* XXX bugfix */ - return (error); }