From owner-svn-src-all@FreeBSD.ORG Wed Jun 24 15:29:37 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41CA21065673; Wed, 24 Jun 2009 15:29:37 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 159ED8FC08; Wed, 24 Jun 2009 15:29:37 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n5OFTaZH018546; Wed, 24 Jun 2009 15:29:36 GMT (envelope-from jamie@svn.freebsd.org) Received: (from jamie@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n5OFTaRT018544; Wed, 24 Jun 2009 15:29:36 GMT (envelope-from jamie@svn.freebsd.org) Message-Id: <200906241529.n5OFTaRT018544@svn.freebsd.org> From: Jamie Gritton Date: Wed, 24 Jun 2009 15:29:36 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r194841 - head/sys/kern X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 15:29:37 -0000 Author: jamie Date: Wed Jun 24 15:29:36 2009 New Revision: 194841 URL: http://svn.freebsd.org/changeset/base/194841 Log: Fix a race in vi_if_move, where a vnet is used after the prison that referred to it has been released. Approved by: bz (mentor) Modified: head/sys/kern/kern_vimage.c Modified: head/sys/kern/kern_vimage.c ============================================================================== --- head/sys/kern/kern_vimage.c Wed Jun 24 15:24:51 2009 (r194840) +++ head/sys/kern/kern_vimage.c Wed Jun 24 15:29:36 2009 (r194841) @@ -117,9 +117,11 @@ vi_if_move(struct thread *td, struct ifn struct prison *pr; struct vimage *new_vip, *my_vip; struct vnet *new_vnet; + int error; if (vi_req != NULL) { /* SIOCSIFVIMAGE */ + pr = NULL; /* Check for API / ABI version mismatch. */ if (vi_req->vi_api_cookie != VI_API_COOKIE) return (EDOOFUS); @@ -148,6 +150,7 @@ vi_if_move(struct thread *td, struct ifn sx_sunlock(&allprison_lock); if (pr == NULL) return (ENXIO); + prison_hold_locked(pr); mtx_unlock(&pr->pr_mtx); if (ifp != NULL) { /* SIOCSIFVNET */ @@ -158,31 +161,35 @@ vi_if_move(struct thread *td, struct ifn CURVNET_SET(pr->pr_vnet); ifp = ifunit(ifname); CURVNET_RESTORE(); - if (ifp == NULL) + if (ifp == NULL) { + prison_free(pr); return (ENXIO); + } } - - /* No-op if the target jail has the same vnet. */ - if (new_vnet == ifp->if_vnet) - return (0); } - /* - * Check for naming clashes in target vnet. Not locked so races - * are possible. - */ - CURVNET_SET_QUIET(new_vnet); - t_ifp = ifunit(ifname); - CURVNET_RESTORE(); - if (t_ifp != NULL) - return (EEXIST); - - /* Detach from curvnet and attach to new_vnet. */ - if_vmove(ifp, new_vnet); + error = 0; + if (new_vnet != ifp->if_vnet) { + /* + * Check for naming clashes in target vnet. Not locked so races + * are possible. + */ + CURVNET_SET_QUIET(new_vnet); + t_ifp = ifunit(ifname); + CURVNET_RESTORE(); + if (t_ifp != NULL) + error = EEXIST; + else { + /* Detach from curvnet and attach to new_vnet. */ + if_vmove(ifp, new_vnet); - /* Report the new if_xname back to the userland */ - sprintf(ifname, "%s", ifp->if_xname); - return (0); + /* Report the new if_xname back to the userland */ + sprintf(ifname, "%s", ifp->if_xname); + } + } + if (pr != NULL) + prison_free(pr); + return (error); } /*