Commit a work-around for a more general bug involving process state:

check whether p_ucred is NULL or not in pfs_getattr() before
dereferencing the credential, and return ENOENT if there wasn't one.

This is a symptom of a larger problem, wherein pfind() can return
references to incompletely initialized processes, and we instead ought
to not return them, or check the process state before acting on the
process.

Reported by:	kris
Discussed with:	tjr, others

1 files changed, 11 insertions, 0 deletions

diff --git a/sys/fs/pseudofs/pseudofs_vnops.c b/sys/fs/pseudofs/pseudofs_vnops.c
index d8fa427..31d7bbd 100644
--- a/sys/fs/pseudofs/pseudofs_vnops.c
+++ b/sys/fs/pseudofs/pseudofs_vnops.c
@@ -197,6 +197,17 @@ pfs_getattr(struct vop_getattr_args *va)
 	if (pvd->pvd_pid != NO_PID) {
 		if ((proc = pfind(pvd->pvd_pid)) == NULL)
 			PFS_RETURN (ENOENT);
+		/*
+		 * XXX: pfind() returning incompletely allocated processes
+		 * is probably a bug.  Or, at least, we should check the
+		 * process state, not the ucred pointer.  Work around for
+		 * now by checking that to avoid a possible NULL pointer
+		 * dereference.
+		 */
+		if (proc->p_ucred == NULL) {
+			PROC_UNLOCK(proc);
+			PFS_RETURN (ENOENT);
+		}
 		vap->va_uid = proc->p_ucred->cr_ruid;
 		vap->va_gid = proc->p_ucred->cr_rgid;
 		if (pn->pn_attr != NULL)