Close the remaining user address mapping races for physical

I/O, CAM, and AIO. Still TODO: streamline useracc() checks. Reviewed by: alc, tegge MFC after: 7 days
author: dillon <dillon@FreeBSD.org> 2003-01-20 17:46:48 +0000
committer: dillon <dillon@FreeBSD.org> 2003-01-20 17:46:48 +0000
commit: e7be7a0432de3e374a6d4cfedc0ef5c8b264a021 (patch)
tree: 9f8f2a306dcef88eb5da009ebff53701aaaeee2b /sys/kern/kern_physio.c
parent: a752ec7b60312f295643dc7eb37ec1318d8c7412 (diff)
download: FreeBSD-src-e7be7a0432de3e374a6d4cfedc0ef5c8b264a021.zip
FreeBSD-src-e7be7a0432de3e374a6d4cfedc0ef5c8b264a021.tar.gz
1 files changed, 11 insertions, 1 deletions
diff --git a/sys/kern/kern_physio.c b/sys/kern/kern_physio.c
index f61b55c..01e3750 100644
--- a/sys/kern/kern_physio.c
+++ b/sys/kern/kern_physio.c
@@ -95,13 +95,23 @@ physio(dev_t dev, struct uio *uio, int ioflag)
 			bp->b_blkno = btodb(bp->b_offset);
 
 			if (uio->uio_segflg == UIO_USERSPACE) {
+				/*
+				 * Note that useracc() alone is not a
+				 * sufficient test.  vmapbuf() can still fail
+				 * due to a smaller file mapped into a larger
+				 * area of VM, or if userland races against
+				 * vmapbuf() after the useracc() check.
+				 */
 				if (!useracc(bp->b_data, bp->b_bufsize,
 				    bp->b_iocmd == BIO_READ ?
 				    VM_PROT_WRITE : VM_PROT_READ)) {
 					error = EFAULT;
 					goto doerror;
 				}
-				vmapbuf(bp);
+				if (vmapbuf(bp) < 0) {
+					error = EFAULT;
+					goto doerror;
+				}
 			}
 
 			DEV_STRATEGY(bp);
author	dillon <dillon@FreeBSD.org>	2003-01-20 17:46:48 +0000
committer	dillon <dillon@FreeBSD.org>	2003-01-20 17:46:48 +0000
commit	e7be7a0432de3e374a6d4cfedc0ef5c8b264a021 (patch)
tree	9f8f2a306dcef88eb5da009ebff53701aaaeee2b /sys/kern/kern_physio.c
parent	a752ec7b60312f295643dc7eb37ec1318d8c7412 (diff)
download	FreeBSD-src-e7be7a0432de3e374a6d4cfedc0ef5c8b264a021.zip FreeBSD-src-e7be7a0432de3e374a6d4cfedc0ef5c8b264a021.tar.gz