Date: Mon, 5 Oct 2020 19:38:51 +0000 (UTC) From: Mateusz Guzik <mjg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r366462 - in head/sys: kern sys Message-ID: <202010051938.095Jcp7v049331@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mjg Date: Mon Oct 5 19:38:51 2020 New Revision: 366462 URL: https://svnweb.freebsd.org/changeset/base/366462 Log: cache: fix pwd use-after-free in setting up fallback Since the code exits smr section prior to calling pwd_hold, the used pwd can be freed and a new one allocated with the same address, making the comparison erroneously true. Note it is very unlikely anyone ran into it. Modified: head/sys/kern/kern_descrip.c head/sys/kern/vfs_cache.c head/sys/sys/filedesc.h Modified: head/sys/kern/kern_descrip.c ============================================================================== --- head/sys/kern/kern_descrip.c Mon Oct 5 19:26:54 2020 (r366461) +++ head/sys/kern/kern_descrip.c Mon Oct 5 19:38:51 2020 (r366462) @@ -3344,6 +3344,17 @@ pwd_hold_filedesc(struct filedesc *fdp) return (pwd); } +bool +pwd_hold_smr(struct pwd *pwd) +{ + + MPASS(pwd != NULL); + if (__predict_true(refcount_acquire_if_not_zero(&pwd->pwd_refcount))) { + return (true); + } + return (false); +} + struct pwd * pwd_hold(struct thread *td) { @@ -3354,8 +3365,7 @@ pwd_hold(struct thread *td) vfs_smr_enter(); pwd = vfs_smr_entered_load(&fdp->fd_pwd); - MPASS(pwd != NULL); - if (__predict_true(refcount_acquire_if_not_zero(&pwd->pwd_refcount))) { + if (pwd_hold_smr(pwd)) { vfs_smr_exit(); return (pwd); } Modified: head/sys/kern/vfs_cache.c ============================================================================== --- head/sys/kern/vfs_cache.c Mon Oct 5 19:26:54 2020 (r366461) +++ head/sys/kern/vfs_cache.c Mon Oct 5 19:38:51 2020 (r366462) @@ -3484,25 +3484,24 @@ cache_fplookup_partial_setup(struct cache_fpl *fpl) ndp = fpl->ndp; cnp = fpl->cnp; + pwd = fpl->pwd; dvp = fpl->dvp; dvp_seqc = fpl->dvp_seqc; - dvs = vget_prep_smr(dvp); - if (__predict_false(dvs == VGET_NONE)) { + if (!pwd_hold_smr(pwd)) { cache_fpl_smr_exit(fpl); return (cache_fpl_aborted(fpl)); } + dvs = vget_prep_smr(dvp); cache_fpl_smr_exit(fpl); - - vget_finish_ref(dvp, dvs); - if (!vn_seqc_consistent(dvp, dvp_seqc)) { - vrele(dvp); + if (__predict_false(dvs == VGET_NONE)) { + pwd_drop(pwd); return (cache_fpl_aborted(fpl)); } - pwd = pwd_hold(curthread); - if (fpl->pwd != pwd) { + vget_finish_ref(dvp, dvs); + if (!vn_seqc_consistent(dvp, dvp_seqc)) { vrele(dvp); pwd_drop(pwd); return (cache_fpl_aborted(fpl)); Modified: head/sys/sys/filedesc.h ============================================================================== --- head/sys/sys/filedesc.h Mon Oct 5 19:26:54 2020 (r366461) +++ head/sys/sys/filedesc.h Mon Oct 5 19:38:51 2020 (r366462) @@ -302,6 +302,7 @@ void pwd_ensure_dirs(void); void pwd_set_rootvnode(void); struct pwd *pwd_hold_filedesc(struct filedesc *fdp); +bool pwd_hold_smr(struct pwd *pwd); struct pwd *pwd_hold(struct thread *td); void pwd_drop(struct pwd *pwd); static inline void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202010051938.095Jcp7v049331>