VOP_IOCTL takes unlocked vnode as an argument. Due to this, v_data may

be NULL or derefenced memory may become free at arbitrary moment.

Lock the vnode in cd9660, devfs and pseudofs implementation of VOP_IOCTL
to prevent reclaim; check whether the vnode was already reclaimed after
the lock is granted.

Reported by:	georg at dts su
Reviewed by:	des (pseudofs)
MFC after:	2 weeks

1 files changed, 17 insertions, 6 deletions

diff --git a/sys/fs/cd9660/cd9660_vnops.c b/sys/fs/cd9660/cd9660_vnops.c
index 4d67251..50541f6 100644
--- a/sys/fs/cd9660/cd9660_vnops.c
+++ b/sys/fs/cd9660/cd9660_vnops.c
@@ -251,20 +251,31 @@ cd9660_ioctl(ap)
 		struct thread *a_td;
 	} */ *ap;
 {
-	struct vnode *vp = ap->a_vp;
-	struct iso_node *ip = VTOI(vp);
+	struct vnode *vp;
+	struct iso_node *ip;
+	int error;
 
-	if (vp->v_type == VCHR || vp->v_type == VBLK)
+	vp = ap->a_vp;
+	vn_lock(vp, LK_SHARED | LK_RETRY);
+	if (vp->v_type == VCHR || vp->v_type == VBLK) {
+		VOP_UNLOCK(vp, 0);
 		return (EOPNOTSUPP);
+	}
 
-	switch (ap->a_command) {
+	ip = VTOI(vp);
+	error = 0;
 
+	switch (ap->a_command) {
 	case FIOGETLBA:
 		*(int *)(ap->a_data) = ip->iso_start;
-		return 0;
+		break;
 	default:
-		return (ENOTTY);
+		error = ENOTTY;
+		break;
 	}
+
+	VOP_UNLOCK(vp, 0);
+	return (error);
 }
 
 /*