Date: Thu, 24 Nov 2011 20:34:06 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r227952 - head/sys/kern Message-ID: <201111242034.pAOKY6FN011539@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Thu Nov 24 20:34:06 2011 New Revision: 227952 URL: http://svn.freebsd.org/changeset/base/227952 Log: Fix a race between getvnode() dereferencing half-constructed file and dupfdopen(). Reported and tested by: pho MFC after: 3 days Modified: head/sys/kern/vfs_syscalls.c Modified: head/sys/kern/vfs_syscalls.c ============================================================================== --- head/sys/kern/vfs_syscalls.c Thu Nov 24 20:31:06 2011 (r227951) +++ head/sys/kern/vfs_syscalls.c Thu Nov 24 20:34:06 2011 (r227952) @@ -4344,7 +4344,20 @@ getvnode(struct filedesc *fdp, int fd, c fp = fp_fromcap; } #endif /* CAPABILITIES */ - if (fp->f_vnode == NULL) { + + /* + * The file could be not of the vnode type, or it may be not + * yet fully initialized, in which case the f_vnode pointer + * may be set, but f_ops is still badfileops. E.g., + * devfs_open() transiently create such situation to + * facilitate csw d_fdopen(). + * + * Dupfdopen() handling in kern_openat() installs the + * half-baked file into the process descriptor table, allowing + * other thread to dereference it. Guard against the race by + * checking f_ops. + */ + if (fp->f_vnode == NULL || fp->f_ops == &badfileops) { fdrop(fp, curthread); return (EINVAL); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201111242034.pAOKY6FN011539>