diff options
| author | kib <kib@FreeBSD.org> | 2012-09-13 13:05:45 +0000 |
|---|---|---|
| committer | kib <kib@FreeBSD.org> | 2012-09-13 13:05:45 +0000 |
| commit | 10608e7d855a9c973b57055bfc2e87284c68ce9e (patch) | |
| tree | 4a1c7c3f5e51132eef47883a5fc11727375f8e2c | |
| parent | 292a32313d952d75e33dffe6fa8ee77e8fb0ae98 (diff) | |
| download | FreeBSD-src-10608e7d855a9c973b57055bfc2e87284c68ce9e.zip FreeBSD-src-10608e7d855a9c973b57055bfc2e87284c68ce9e.tar.gz | |
The deadfs VOPs for vop_ioctl and vop_bmap call itself recursively,
which is an elaborate way to cause kernel panic. Change the VOPs
implementation to return EBADF for a reclaimed vnode.
While the calls to vop_bmap should not reach deadfs, it is indeed
possible for vop_ioctl, because the VOP locking protocol is to pass
the vnode to VOP unlocked. The actual panic was observed when ioctl
was called on procfs filedescriptor which pointed to an exited
process.
Reported by: zont
Tested by: pho
MFC after: 1 week
| -rw-r--r-- | sys/fs/deadfs/dead_vnops.c | 43 |
1 files changed, 2 insertions, 41 deletions
diff --git a/sys/fs/deadfs/dead_vnops.c b/sys/fs/deadfs/dead_vnops.c index e255654..9a107dd 100644 --- a/sys/fs/deadfs/dead_vnops.c +++ b/sys/fs/deadfs/dead_vnops.c @@ -41,8 +41,6 @@ /* * Prototypes for dead operations on vnodes. */ -static vop_bmap_t dead_bmap; -static vop_ioctl_t dead_ioctl; static vop_lookup_t dead_lookup; static vop_open_t dead_open; static vop_poll_t dead_poll; @@ -56,12 +54,12 @@ struct vop_vector dead_vnodeops = { .vop_access = VOP_EBADF, .vop_advlock = VOP_EBADF, - .vop_bmap = dead_bmap, + .vop_bmap = VOP_EBADF, .vop_create = VOP_PANIC, .vop_getattr = VOP_EBADF, .vop_getwritemount = dead_getwritemount, .vop_inactive = VOP_NULL, - .vop_ioctl = dead_ioctl, + .vop_ioctl = VOP_EBADF, .vop_link = VOP_PANIC, .vop_lookup = dead_lookup, .vop_mkdir = VOP_PANIC, @@ -166,43 +164,6 @@ dead_write(ap) } /* - * Device ioctl operation. - */ -/* ARGSUSED */ -static int -dead_ioctl(ap) - struct vop_ioctl_args /* { - struct vnode *a_vp; - u_long a_command; - caddr_t a_data; - int a_fflag; - struct ucred *a_cred; - struct proc *a_p; - } */ *ap; -{ - /* XXX: Doesn't this just recurse back here ? */ - return (VOP_IOCTL_AP(ap)); -} - -/* - * Wait until the vnode has finished changing state. - */ -static int -dead_bmap(ap) - struct vop_bmap_args /* { - struct vnode *a_vp; - daddr_t a_bn; - struct bufobj **a_bop; - daddr_t *a_bnp; - int *a_runp; - int *a_runb; - } */ *ap; -{ - - return (VOP_BMAP(ap->a_vp, ap->a_bn, ap->a_bop, ap->a_bnp, ap->a_runp, ap->a_runb)); -} - -/* * Trivial poll routine that always returns POLLHUP. * This is necessary so that a process which is polling a file * gets notified when that file is revoke()d. |
