Date: Fri, 2 Jan 2009 03:35:18 GMT From: Mateusz Guzik <mjguzik@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/130107: [devctl][patch] in devctl_queue_data(): possible use of bogus pointer to proc to send SIGIO Message-ID: <200901020335.n023ZIb9076608@www.freebsd.org> Resent-Message-ID: <200901020340.n023e2f5085141@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 130107
>Category: kern
>Synopsis: [devctl][patch] in devctl_queue_data(): possible use of bogus pointer to proc to send SIGIO
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jan 02 03:40:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Mateusz Guzik
>Release: 8.0-CURRENT
>Organization:
>Environment:
FreeBSD eternal 8.0-CURRENT FreeBSD 8.0-CURRENT #13: Fri Jan 2 04:49:43 CET 2009 root@:/usr/obj/usr/src/sys/ETERNAL i386
>Description:
If devsoftc.async_proc is not NULL, devctl_queue_data() sends SIGIO to the process pointed by it. devctl's reader can use ioctl FIOASYNC to make this happen. But devsoftc.async_proc is not NULLed on close, so if the reader dies, devctl_queue_data() still sends SIGIO (but using bogus pointer).
>How-To-Repeat:
>Fix:
"devsoftc.async_proc = NULL;" at the beginning of devclose() fixes the problem. (perhaps similar line from devopen() can go away?)
Patch attached with submission follows:
--- sys/kern/subr_bus.c.orig 2008-11-18 22:01:54.000000000 +0100
+++ sys/kern/subr_bus.c 2009-01-02 04:34:09.000000000 +0100
@@ -416,6 +416,7 @@
devclose(struct cdev *dev, int fflag, int devtype, d_thread_t *td)
{
devsoftc.inuse = 0;
+ devsoftc.async_proc = NULL;
mtx_lock(&devsoftc.mtx);
cv_broadcast(&devsoftc.cv);
mtx_unlock(&devsoftc.mtx);
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901020335.n023ZIb9076608>