From owner-svn-src-all@FreeBSD.ORG  Fri Mar 25 10:57:57 2011
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BFC10106572F;
	Fri, 25 Mar 2011 10:57:57 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 937218FC0C;
	Fri, 25 Mar 2011 10:57:57 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p2PAvvmw078932;
	Fri, 25 Mar 2011 10:57:57 GMT (envelope-from kib@svn.freebsd.org)
Received: (from kib@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id p2PAvvkL078930;
	Fri, 25 Mar 2011 10:57:57 GMT (envelope-from kib@svn.freebsd.org)
Message-Id: <201103251057.p2PAvvkL078930@svn.freebsd.org>
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Fri, 25 Mar 2011 10:57:57 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r219986 - head/sys/compat/freebsd32
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2011 10:57:57 -0000

Author: kib
Date: Fri Mar 25 10:57:57 2011
New Revision: 219986
URL: http://svn.freebsd.org/changeset/base/219986

Log:
  Fix file leakage in the freebsd32_ioctl routines.
  
  Code inspection shows freebsd32_ioctl calls fget for a fd and calls
  a subroutine to handle each specific ioctl.  It is expected that the
  subroutine will call fdrop when done.  However many of the subroutines
  will exit out early if copyin encounters an error resulting in fdrop
  never being called.
  
  Submitted by:	John Wehle <john feith com>
  MFC after:	3 days

Modified:
  head/sys/compat/freebsd32/freebsd32_ioctl.c

Modified: head/sys/compat/freebsd32/freebsd32_ioctl.c
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_ioctl.c	Fri Mar 25 10:55:25 2011	(r219985)
+++ head/sys/compat/freebsd32/freebsd32_ioctl.c	Fri Mar 25 10:57:57 2011	(r219986)
@@ -70,7 +70,6 @@ freebsd32_ioctl_md(struct thread *td, st
 		panic("%s: where is my ioctl data??", __func__);
 	if (uap->com & IOC_IN) {
 		if ((error = copyin(uap->data, &md32, sizeof(md32)))) {
-			fdrop(fp, td);
 			return (error);
 		}
 		CP(md32, mdv, md_version);
@@ -121,7 +120,6 @@ freebsd32_ioctl_md(struct thread *td, st
 		CP(mdv, md32, md_fwsectors);
 		error = copyout(&md32, uap->data, sizeof(md32));
 	}
-	fdrop(fp, td);
 	return error;
 }
 
@@ -144,7 +142,6 @@ freebsd32_ioctl_ioc_toc_header(struct th
 	CP(toch32, toch, ending_track);
 	error = fo_ioctl(fp, CDIOREADTOCHEADER, (caddr_t)&toch,
 	    td->td_ucred, td);
-	fdrop(fp, td);
 	return (error);
 }
 
@@ -175,7 +172,6 @@ freebsd32_ioctl_ioc_read_toc(struct thre
 		PTROUT_CP(toce, toce32, data);
 		error = copyout(&toce32, uap->data, sizeof(toce32));
 	}
-	fdrop(fp, td);
 	return error;
 }
 
@@ -192,7 +188,6 @@ freebsd32_ioctl_fiodgname(struct thread 
 	CP(fgn32, fgn, len);
 	PTRIN_CP(fgn32, fgn, buf);
 	error = fo_ioctl(fp, FIODGNAME, (caddr_t)&fgn, td->td_ucred, td);
-	fdrop(fp, td);
 	return (error);
 }
 
@@ -219,16 +214,20 @@ freebsd32_ioctl(struct thread *td, struc
 	case MDIOCDETACH_32:	/* FALLTHROUGH */
 	case MDIOCQUERY_32:	/* FALLTHROUGH */
 	case MDIOCLIST_32:
-		return freebsd32_ioctl_md(td, uap, fp);
+		error = freebsd32_ioctl_md(td, uap, fp);
+		break;
 
 	case CDIOREADTOCENTRYS_32:
-		return freebsd32_ioctl_ioc_read_toc(td, uap, fp);
+		error = freebsd32_ioctl_ioc_read_toc(td, uap, fp);
+		break;
 
 	case CDIOREADTOCHEADER_32:
-		return freebsd32_ioctl_ioc_toc_header(td, uap, fp);
+		error = freebsd32_ioctl_ioc_toc_header(td, uap, fp);
+		break;
 
 	case FIODGNAME_32:
-		return freebsd32_ioctl_fiodgname(td, uap, fp);
+		error = freebsd32_ioctl_fiodgname(td, uap, fp);
+		break;
 
 	default:
 		fdrop(fp, td);
@@ -237,4 +236,7 @@ freebsd32_ioctl(struct thread *td, struc
 		PTRIN_CP(*uap, ap, data);
 		return ioctl(td, &ap);
 	}
+
+	fdrop(fp, td);
+	return error;
 }