VOP_IOCTL takes unlocked vnode as an argument. Due to this, v_data may

be NULL or derefenced memory may become free at arbitrary moment. Lock the vnode in cd9660, devfs and pseudofs implementation of VOP_IOCTL to prevent reclaim; check whether the vnode was already reclaimed after the lock is granted. Reported by: georg at dts su Reviewed by: des (pseudofs) MFC after: 2 weeks
author: kib <kib@FreeBSD.org> 2009-06-10 13:57:36 +0000
committer: kib <kib@FreeBSD.org> 2009-06-10 13:57:36 +0000
commit: e0d7459c716fb9105aa2ae9ebf00c6de6a1f8796 (patch)
tree: 073060ebf4b60bba932ec2b080cc808f1b347c02 /sys/fs/devfs
parent: ff56813d72ced1434a2e9649783a322834dc196f (diff)
download: FreeBSD-src-e0d7459c716fb9105aa2ae9ebf00c6de6a1f8796.zip
FreeBSD-src-e0d7459c716fb9105aa2ae9ebf00c6de6a1f8796.tar.gz
1 files changed, 10 insertions, 2 deletions
diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c
index 46d7942..f24e12e 100644
--- a/sys/fs/devfs/devfs_vnops.c
+++ b/sys/fs/devfs/devfs_vnops.c
@@ -1276,11 +1276,19 @@ devfs_revoke(struct vop_revoke_args *ap)
 static int
 devfs_rioctl(struct vop_ioctl_args *ap)
 {
-	int error;
+	struct vnode *vp;
 	struct devfs_mount *dmp;
+	int error;
 
-	dmp = VFSTODEVFS(ap->a_vp->v_mount);
+	vp = ap->a_vp;
+	vn_lock(vp, LK_SHARED | LK_RETRY);
+	if (vp->v_iflag & VI_DOOMED) {
+		VOP_UNLOCK(vp, 0);
+		return (EBADF);
+	}
+	dmp = VFSTODEVFS(vp->v_mount);
 	sx_xlock(&dmp->dm_lock);
+	VOP_UNLOCK(vp, 0);
 	DEVFS_DMP_HOLD(dmp);
 	devfs_populate(dmp);
 	if (DEVFS_DMP_DROP(dmp)) {
author	kib <kib@FreeBSD.org>	2009-06-10 13:57:36 +0000
committer	kib <kib@FreeBSD.org>	2009-06-10 13:57:36 +0000
commit	e0d7459c716fb9105aa2ae9ebf00c6de6a1f8796 (patch)
tree	073060ebf4b60bba932ec2b080cc808f1b347c02 /sys/fs/devfs
parent	ff56813d72ced1434a2e9649783a322834dc196f (diff)
download	FreeBSD-src-e0d7459c716fb9105aa2ae9ebf00c6de6a1f8796.zip FreeBSD-src-e0d7459c716fb9105aa2ae9ebf00c6de6a1f8796.tar.gz