Close the remaining user address mapping races for physical

I/O, CAM, and AIO. Still TODO: streamline useracc() checks. Reviewed by: alc, tegge MFC after: 7 days
author: dillon <dillon@FreeBSD.org> 2003-01-20 17:46:48 +0000
committer: dillon <dillon@FreeBSD.org> 2003-01-20 17:46:48 +0000
commit: e7be7a0432de3e374a6d4cfedc0ef5c8b264a021 (patch)
tree: 9f8f2a306dcef88eb5da009ebff53701aaaeee2b /sys/kern/vfs_aio.c
parent: a752ec7b60312f295643dc7eb37ec1318d8c7412 (diff)
download: FreeBSD-src-e7be7a0432de3e374a6d4cfedc0ef5c8b264a021.zip
FreeBSD-src-e7be7a0432de3e374a6d4cfedc0ef5c8b264a021.tar.gz
1 files changed, 13 insertions, 2 deletions
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index bffdf71..9532ff2 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -1124,8 +1124,19 @@ aio_qphysio(struct proc *p, struct aiocblist *aiocbe)
 		}
 	}
 
-	/* Bring buffer into kernel space. */
-	vmapbuf(bp);
+	/*
+	 * Bring buffer into kernel space.
+	 *
+	 * Note that useracc() alone is not a 
+	 * sufficient test.  vmapbuf() can still fail
+	 * due to a smaller file mapped into a larger
+	 * area of VM, or if userland races against
+	 * vmapbuf() after the useracc() check.
+	 */
+	if (vmapbuf(bp) < 0) {
+		error = EFAULT;
+		goto doerror;
+	}
 
 	s = splbio();
 	aiocbe->bp = bp;
author	dillon <dillon@FreeBSD.org>	2003-01-20 17:46:48 +0000
committer	dillon <dillon@FreeBSD.org>	2003-01-20 17:46:48 +0000
commit	e7be7a0432de3e374a6d4cfedc0ef5c8b264a021 (patch)
tree	9f8f2a306dcef88eb5da009ebff53701aaaeee2b /sys/kern/vfs_aio.c
parent	a752ec7b60312f295643dc7eb37ec1318d8c7412 (diff)
download	FreeBSD-src-e7be7a0432de3e374a6d4cfedc0ef5c8b264a021.zip FreeBSD-src-e7be7a0432de3e374a6d4cfedc0ef5c8b264a021.tar.gz