Date: Sat, 4 Jul 2020 06:27:28 +0000 (UTC) From: Mateusz Guzik <mjg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r362923 - head/sys/fs/devfs Message-ID: <202007040627.0646RSEi026833@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mjg Date: Sat Jul 4 06:27:28 2020 New Revision: 362923 URL: https://svnweb.freebsd.org/changeset/base/362923 Log: devfs: fix a vnode use-after-free in devfs_ioctl The vnode to be replaced was read with a shared lock, meaning 2 racing threads can find the same one. While here clean it up a little bit. Modified: head/sys/fs/devfs/devfs_vnops.c Modified: head/sys/fs/devfs/devfs_vnops.c ============================================================================== --- head/sys/fs/devfs/devfs_vnops.c Sat Jul 4 06:25:41 2020 (r362922) +++ head/sys/fs/devfs/devfs_vnops.c Sat Jul 4 06:27:28 2020 (r362923) @@ -787,6 +787,7 @@ devfs_ioctl(struct vop_ioctl_args *ap) struct vnode *vpold, *vp; struct cdevsw *dsw; struct thread *td; + struct session *sess; struct cdev *dev; int error, ref, i; const char *p; @@ -836,18 +837,18 @@ devfs_ioctl(struct vop_ioctl_args *ap) * nothing left to do. */ sx_slock(&proctree_lock); - if (td->td_proc->p_session->s_ttyvp == vp || - td->td_proc->p_session->s_ttyp == NULL) { + sess = td->td_proc->p_session; + if (sess->s_ttyvp == vp || sess->s_ttyp == NULL) { sx_sunlock(&proctree_lock); return (0); } - vpold = td->td_proc->p_session->s_ttyvp; - VREF(vp); - SESS_LOCK(td->td_proc->p_session); - td->td_proc->p_session->s_ttyvp = vp; - td->td_proc->p_session->s_ttydp = cdev2priv(dev); - SESS_UNLOCK(td->td_proc->p_session); + vrefact(vp); + SESS_LOCK(sess); + vpold = sess->s_ttyvp; + sess->s_ttyvp = vp; + sess->s_ttydp = cdev2priv(dev); + SESS_UNLOCK(sess); sx_sunlock(&proctree_lock);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007040627.0646RSEi026833>