Date: Thu, 13 Sep 2012 13:05:46 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r240464 - head/sys/fs/deadfs Message-ID: <201209131305.q8DD5kbF002792@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Thu Sep 13 13:05:45 2012 New Revision: 240464 URL: http://svn.freebsd.org/changeset/base/240464 Log: The deadfs VOPs for vop_ioctl and vop_bmap call itself recursively, which is an elaborate way to cause kernel panic. Change the VOPs implementation to return EBADF for a reclaimed vnode. While the calls to vop_bmap should not reach deadfs, it is indeed possible for vop_ioctl, because the VOP locking protocol is to pass the vnode to VOP unlocked. The actual panic was observed when ioctl was called on procfs filedescriptor which pointed to an exited process. Reported by: zont Tested by: pho MFC after: 1 week Modified: head/sys/fs/deadfs/dead_vnops.c Modified: head/sys/fs/deadfs/dead_vnops.c ============================================================================== --- head/sys/fs/deadfs/dead_vnops.c Thu Sep 13 12:55:10 2012 (r240463) +++ head/sys/fs/deadfs/dead_vnops.c Thu Sep 13 13:05:45 2012 (r240464) @@ -41,8 +41,6 @@ /* * Prototypes for dead operations on vnodes. */ -static vop_bmap_t dead_bmap; -static vop_ioctl_t dead_ioctl; static vop_lookup_t dead_lookup; static vop_open_t dead_open; static vop_poll_t dead_poll; @@ -56,12 +54,12 @@ struct vop_vector dead_vnodeops = { .vop_access = VOP_EBADF, .vop_advlock = VOP_EBADF, - .vop_bmap = dead_bmap, + .vop_bmap = VOP_EBADF, .vop_create = VOP_PANIC, .vop_getattr = VOP_EBADF, .vop_getwritemount = dead_getwritemount, .vop_inactive = VOP_NULL, - .vop_ioctl = dead_ioctl, + .vop_ioctl = VOP_EBADF, .vop_link = VOP_PANIC, .vop_lookup = dead_lookup, .vop_mkdir = VOP_PANIC, @@ -166,43 +164,6 @@ dead_write(ap) } /* - * Device ioctl operation. - */ -/* ARGSUSED */ -static int -dead_ioctl(ap) - struct vop_ioctl_args /* { - struct vnode *a_vp; - u_long a_command; - caddr_t a_data; - int a_fflag; - struct ucred *a_cred; - struct proc *a_p; - } */ *ap; -{ - /* XXX: Doesn't this just recurse back here ? */ - return (VOP_IOCTL_AP(ap)); -} - -/* - * Wait until the vnode has finished changing state. - */ -static int -dead_bmap(ap) - struct vop_bmap_args /* { - struct vnode *a_vp; - daddr_t a_bn; - struct bufobj **a_bop; - daddr_t *a_bnp; - int *a_runp; - int *a_runb; - } */ *ap; -{ - - return (VOP_BMAP(ap->a_vp, ap->a_bn, ap->a_bop, ap->a_bnp, ap->a_runp, ap->a_runb)); -} - -/* * Trivial poll routine that always returns POLLHUP. * This is necessary so that a process which is polling a file * gets notified when that file is revoke()d.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209131305.q8DD5kbF002792>