Date: Sun, 27 Nov 2011 19:02:18 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r228035 - releng/9.0/sys/kern Message-ID: <201111271902.pARJ2IIk052153@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Sun Nov 27 19:02:18 2011 New Revision: 228035 URL: http://svn.freebsd.org/changeset/base/228035 Log: MFC r227952: Fix a race between getvnode() dereferencing half-constructed file and dupfdopen(). Approved by: re (bz) Modified: releng/9.0/sys/kern/vfs_syscalls.c Directory Properties: releng/9.0/sys/ (props changed) Modified: releng/9.0/sys/kern/vfs_syscalls.c ============================================================================== --- releng/9.0/sys/kern/vfs_syscalls.c Sun Nov 27 19:00:52 2011 (r228034) +++ releng/9.0/sys/kern/vfs_syscalls.c Sun Nov 27 19:02:18 2011 (r228035) @@ -4342,7 +4342,20 @@ getvnode(struct filedesc *fdp, int fd, c fp = fp_fromcap; } #endif /* CAPABILITIES */ - if (fp->f_vnode == NULL) { + + /* + * The file could be not of the vnode type, or it may be not + * yet fully initialized, in which case the f_vnode pointer + * may be set, but f_ops is still badfileops. E.g., + * devfs_open() transiently create such situation to + * facilitate csw d_fdopen(). + * + * Dupfdopen() handling in kern_openat() installs the + * half-baked file into the process descriptor table, allowing + * other thread to dereference it. Guard against the race by + * checking f_ops. + */ + if (fp->f_vnode == NULL || fp->f_ops == &badfileops) { fdrop(fp, curthread); return (EINVAL); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201111271902.pARJ2IIk052153>