From owner-svn-src-stable-10@FreeBSD.ORG Mon Dec 15 11:00:57 2014 Return-Path: Delivered-To: svn-src-stable-10@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 577DA557; Mon, 15 Dec 2014 11:00:57 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 438DAAFD; Mon, 15 Dec 2014 11:00:57 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sBFB0v4C006870; Mon, 15 Dec 2014 11:00:57 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sBFB0vA3006869; Mon, 15 Dec 2014 11:00:57 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201412151100.sBFB0vA3006869@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Mon, 15 Dec 2014 11:00:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r275797 - stable/10/sys/kern X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Dec 2014 11:00:57 -0000 Author: kib Date: Mon Dec 15 11:00:56 2014 New Revision: 275797 URL: https://svnweb.freebsd.org/changeset/base/275797 Log: MFC r275619: Check for bo_bufobj->bo_object for NULL and cache the value in local variable to avoid NULL dereference in getnewbuf_reuse_bp(). The vnode owning the buffer is not locked there. Modified: stable/10/sys/kern/vfs_bio.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/kern/vfs_bio.c ============================================================================== --- stable/10/sys/kern/vfs_bio.c Mon Dec 15 10:58:02 2014 (r275796) +++ stable/10/sys/kern/vfs_bio.c Mon Dec 15 11:00:56 2014 (r275797) @@ -1852,15 +1852,18 @@ out: static void vfs_vmio_release(struct buf *bp) { - int i; + vm_object_t obj; vm_page_t m; + int i; if ((bp->b_flags & B_UNMAPPED) == 0) { BUF_CHECK_MAPPED(bp); pmap_qremove(trunc_page((vm_offset_t)bp->b_data), bp->b_npages); } else BUF_CHECK_UNMAPPED(bp); - VM_OBJECT_WLOCK(bp->b_bufobj->bo_object); + obj = bp->b_bufobj->bo_object; + if (obj != NULL) + VM_OBJECT_WLOCK(obj); for (i = 0; i < bp->b_npages; i++) { m = bp->b_pages[i]; bp->b_pages[i] = NULL; @@ -1885,7 +1888,8 @@ vfs_vmio_release(struct buf *bp) vm_page_try_to_cache(m); vm_page_unlock(m); } - VM_OBJECT_WUNLOCK(bp->b_bufobj->bo_object); + if (obj != NULL) + VM_OBJECT_WUNLOCK(obj); if (bp->b_bufsize) { bufspacewakeup();