From owner-svn-src-all@FreeBSD.ORG Thu Sep 13 13:05:46 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91BE7106566C; Thu, 13 Sep 2012 13:05:46 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 645908FC08; Thu, 13 Sep 2012 13:05:46 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q8DD5kDx002794; Thu, 13 Sep 2012 13:05:46 GMT (envelope-from kib@svn.freebsd.org) Received: (from kib@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q8DD5kbF002792; Thu, 13 Sep 2012 13:05:46 GMT (envelope-from kib@svn.freebsd.org) Message-Id: <201209131305.q8DD5kbF002792@svn.freebsd.org> From: Konstantin Belousov Date: Thu, 13 Sep 2012 13:05:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r240464 - head/sys/fs/deadfs X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 13:05:46 -0000 Author: kib Date: Thu Sep 13 13:05:45 2012 New Revision: 240464 URL: http://svn.freebsd.org/changeset/base/240464 Log: The deadfs VOPs for vop_ioctl and vop_bmap call itself recursively, which is an elaborate way to cause kernel panic. Change the VOPs implementation to return EBADF for a reclaimed vnode. While the calls to vop_bmap should not reach deadfs, it is indeed possible for vop_ioctl, because the VOP locking protocol is to pass the vnode to VOP unlocked. The actual panic was observed when ioctl was called on procfs filedescriptor which pointed to an exited process. Reported by: zont Tested by: pho MFC after: 1 week Modified: head/sys/fs/deadfs/dead_vnops.c Modified: head/sys/fs/deadfs/dead_vnops.c ============================================================================== --- head/sys/fs/deadfs/dead_vnops.c Thu Sep 13 12:55:10 2012 (r240463) +++ head/sys/fs/deadfs/dead_vnops.c Thu Sep 13 13:05:45 2012 (r240464) @@ -41,8 +41,6 @@ /* * Prototypes for dead operations on vnodes. */ -static vop_bmap_t dead_bmap; -static vop_ioctl_t dead_ioctl; static vop_lookup_t dead_lookup; static vop_open_t dead_open; static vop_poll_t dead_poll; @@ -56,12 +54,12 @@ struct vop_vector dead_vnodeops = { .vop_access = VOP_EBADF, .vop_advlock = VOP_EBADF, - .vop_bmap = dead_bmap, + .vop_bmap = VOP_EBADF, .vop_create = VOP_PANIC, .vop_getattr = VOP_EBADF, .vop_getwritemount = dead_getwritemount, .vop_inactive = VOP_NULL, - .vop_ioctl = dead_ioctl, + .vop_ioctl = VOP_EBADF, .vop_link = VOP_PANIC, .vop_lookup = dead_lookup, .vop_mkdir = VOP_PANIC, @@ -166,43 +164,6 @@ dead_write(ap) } /* - * Device ioctl operation. - */ -/* ARGSUSED */ -static int -dead_ioctl(ap) - struct vop_ioctl_args /* { - struct vnode *a_vp; - u_long a_command; - caddr_t a_data; - int a_fflag; - struct ucred *a_cred; - struct proc *a_p; - } */ *ap; -{ - /* XXX: Doesn't this just recurse back here ? */ - return (VOP_IOCTL_AP(ap)); -} - -/* - * Wait until the vnode has finished changing state. - */ -static int -dead_bmap(ap) - struct vop_bmap_args /* { - struct vnode *a_vp; - daddr_t a_bn; - struct bufobj **a_bop; - daddr_t *a_bnp; - int *a_runp; - int *a_runb; - } */ *ap; -{ - - return (VOP_BMAP(ap->a_vp, ap->a_bn, ap->a_bop, ap->a_bnp, ap->a_runp, ap->a_runb)); -} - -/* * Trivial poll routine that always returns POLLHUP. * This is necessary so that a process which is polling a file * gets notified when that file is revoke()d.