Date: Fri, 22 Jan 2016 20:35:20 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r294596 - head/sys/kern Message-ID: <201601222035.u0MKZKKX014389@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Fri Jan 22 20:35:20 2016 New Revision: 294596 URL: https://svnweb.freebsd.org/changeset/base/294596 Log: The struct file f_advice member is overlaid with the devfs f_cdevpriv data. If vnode bypass for devfs file failed, vn_read/vn_write are called and might try to dereference f_advice. Limit the accesses to f_advice to VREG vnodes only, which is the type ensured by posix_fadvise(). The f_advice for regular files is protected by mtxpool lock. Recheck that f_advice is not NULL after lock is taken. Reported and tested by: bde Sponsored by: The FreeBSD Foundation MFC after: 3 weeks Modified: head/sys/kern/vfs_vnops.c Modified: head/sys/kern/vfs_vnops.c ============================================================================== --- head/sys/kern/vfs_vnops.c Fri Jan 22 20:30:51 2016 (r294595) +++ head/sys/kern/vfs_vnops.c Fri Jan 22 20:35:20 2016 (r294596) @@ -743,12 +743,13 @@ get_advice(struct file *fp, struct uio * int ret; ret = POSIX_FADV_NORMAL; - if (fp->f_advice == NULL) + if (fp->f_advice == NULL || fp->f_vnode->v_type != VREG) return (ret); mtxp = mtx_pool_find(mtxpool_sleep, fp); mtx_lock(mtxp); - if (uio->uio_offset >= fp->f_advice->fa_start && + if (fp->f_advice != NULL && + uio->uio_offset >= fp->f_advice->fa_start && uio->uio_offset + uio->uio_resid <= fp->f_advice->fa_end) ret = fp->f_advice->fa_advice; mtx_unlock(mtxp);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601222035.u0MKZKKX014389>