From owner-svn-src-all@FreeBSD.ORG Wed Jun 10 13:57:37 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4958D106588A; Wed, 10 Jun 2009 13:57:37 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 3731D8FC2C; Wed, 10 Jun 2009 13:57:37 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n5ADvbuh015468; Wed, 10 Jun 2009 13:57:37 GMT (envelope-from kib@svn.freebsd.org) Received: (from kib@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n5ADvbGU015465; Wed, 10 Jun 2009 13:57:37 GMT (envelope-from kib@svn.freebsd.org) Message-Id: <200906101357.n5ADvbGU015465@svn.freebsd.org> From: Konstantin Belousov Date: Wed, 10 Jun 2009 13:57:37 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r193919 - in head/sys/fs: cd9660 devfs pseudofs X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2009 13:57:38 -0000 Author: kib Date: Wed Jun 10 13:57:36 2009 New Revision: 193919 URL: http://svn.freebsd.org/changeset/base/193919 Log: VOP_IOCTL takes unlocked vnode as an argument. Due to this, v_data may be NULL or derefenced memory may become free at arbitrary moment. Lock the vnode in cd9660, devfs and pseudofs implementation of VOP_IOCTL to prevent reclaim; check whether the vnode was already reclaimed after the lock is granted. Reported by: georg at dts su Reviewed by: des (pseudofs) MFC after: 2 weeks Modified: head/sys/fs/cd9660/cd9660_vnops.c head/sys/fs/devfs/devfs_vnops.c head/sys/fs/pseudofs/pseudofs_vnops.c Modified: head/sys/fs/cd9660/cd9660_vnops.c ============================================================================== --- head/sys/fs/cd9660/cd9660_vnops.c Wed Jun 10 13:56:42 2009 (r193918) +++ head/sys/fs/cd9660/cd9660_vnops.c Wed Jun 10 13:57:36 2009 (r193919) @@ -251,20 +251,31 @@ cd9660_ioctl(ap) struct thread *a_td; } */ *ap; { - struct vnode *vp = ap->a_vp; - struct iso_node *ip = VTOI(vp); + struct vnode *vp; + struct iso_node *ip; + int error; - if (vp->v_type == VCHR || vp->v_type == VBLK) + vp = ap->a_vp; + vn_lock(vp, LK_SHARED | LK_RETRY); + if (vp->v_type == VCHR || vp->v_type == VBLK) { + VOP_UNLOCK(vp, 0); return (EOPNOTSUPP); + } - switch (ap->a_command) { + ip = VTOI(vp); + error = 0; + switch (ap->a_command) { case FIOGETLBA: *(int *)(ap->a_data) = ip->iso_start; - return 0; + break; default: - return (ENOTTY); + error = ENOTTY; + break; } + + VOP_UNLOCK(vp, 0); + return (error); } /* Modified: head/sys/fs/devfs/devfs_vnops.c ============================================================================== --- head/sys/fs/devfs/devfs_vnops.c Wed Jun 10 13:56:42 2009 (r193918) +++ head/sys/fs/devfs/devfs_vnops.c Wed Jun 10 13:57:36 2009 (r193919) @@ -1276,11 +1276,19 @@ devfs_revoke(struct vop_revoke_args *ap) static int devfs_rioctl(struct vop_ioctl_args *ap) { - int error; + struct vnode *vp; struct devfs_mount *dmp; + int error; - dmp = VFSTODEVFS(ap->a_vp->v_mount); + vp = ap->a_vp; + vn_lock(vp, LK_SHARED | LK_RETRY); + if (vp->v_iflag & VI_DOOMED) { + VOP_UNLOCK(vp, 0); + return (EBADF); + } + dmp = VFSTODEVFS(vp->v_mount); sx_xlock(&dmp->dm_lock); + VOP_UNLOCK(vp, 0); DEVFS_DMP_HOLD(dmp); devfs_populate(dmp); if (DEVFS_DMP_DROP(dmp)) { Modified: head/sys/fs/pseudofs/pseudofs_vnops.c ============================================================================== --- head/sys/fs/pseudofs/pseudofs_vnops.c Wed Jun 10 13:56:42 2009 (r193918) +++ head/sys/fs/pseudofs/pseudofs_vnops.c Wed Jun 10 13:57:36 2009 (r193919) @@ -260,34 +260,50 @@ pfs_getattr(struct vop_getattr_args *va) static int pfs_ioctl(struct vop_ioctl_args *va) { - struct vnode *vn = va->a_vp; - struct pfs_vdata *pvd = vn->v_data; - struct pfs_node *pn = pvd->pvd_pn; + struct vnode *vn; + struct pfs_vdata *pvd; + struct pfs_node *pn; struct proc *proc; int error; + vn = va->a_vp; + vn_lock(vn, LK_SHARED | LK_RETRY); + if (vn->v_iflag & VI_DOOMED) { + VOP_UNLOCK(vn, 0); + return (EBADF); + } + pvd = vn->v_data; + pn = pvd->pvd_pn; + PFS_TRACE(("%s: %lx", pn->pn_name, va->a_command)); pfs_assert_not_owned(pn); - if (vn->v_type != VREG) + if (vn->v_type != VREG) { + VOP_UNLOCK(vn, 0); PFS_RETURN (EINVAL); + } KASSERT_PN_IS_FILE(pn); - if (pn->pn_ioctl == NULL) + if (pn->pn_ioctl == NULL) { + VOP_UNLOCK(vn, 0); PFS_RETURN (ENOTTY); + } /* * This is necessary because process' privileges may * have changed since the open() call. */ - if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc)) + if (!pfs_visible(curthread, pn, pvd->pvd_pid, &proc)) { + VOP_UNLOCK(vn, 0); PFS_RETURN (EIO); + } error = pn_ioctl(curthread, proc, pn, va->a_command, va->a_data); if (proc != NULL) PROC_UNLOCK(proc); + VOP_UNLOCK(vn, 0); PFS_RETURN (error); }