MFC r275619:

Check for bo_bufobj->bo_object for NULL and cache the value in local variable to avoid NULL dereference in getnewbuf_reuse_bp(). The vnode owning the buffer is not locked there.
author: kib <kib@FreeBSD.org> 2014-12-15 11:00:56 +0000
committer: kib <kib@FreeBSD.org> 2014-12-15 11:00:56 +0000
commit: 679b472095e0522991b6b16d01ec57aec95f9f55 (patch)
tree: 9e8a673d9b8e17e7d766b531e6bfb7766d1cf196 /sys/kern/vfs_bio.c
parent: 1eabc00156ab7d2214abe4d0bfb6ea2127985ced (diff)
download: FreeBSD-src-679b472095e0522991b6b16d01ec57aec95f9f55.zip
FreeBSD-src-679b472095e0522991b6b16d01ec57aec95f9f55.tar.gz
1 files changed, 7 insertions, 3 deletions
diff --git a/sys/kern/vfs_bio.c b/sys/kern/vfs_bio.c
index cc6ac46..c8a6535 100644
--- a/sys/kern/vfs_bio.c
+++ b/sys/kern/vfs_bio.c
@@ -1852,15 +1852,18 @@ out:
 static void
 vfs_vmio_release(struct buf *bp)
 {
-	int i;
+	vm_object_t obj;
 	vm_page_t m;
+	int i;
 
 	if ((bp->b_flags & B_UNMAPPED) == 0) {
 		BUF_CHECK_MAPPED(bp);
 		pmap_qremove(trunc_page((vm_offset_t)bp->b_data), bp->b_npages);
 	} else
 		BUF_CHECK_UNMAPPED(bp);
-	VM_OBJECT_WLOCK(bp->b_bufobj->bo_object);
+	obj = bp->b_bufobj->bo_object;
+	if (obj != NULL)
+		VM_OBJECT_WLOCK(obj);
 	for (i = 0; i < bp->b_npages; i++) {
 		m = bp->b_pages[i];
 		bp->b_pages[i] = NULL;
@@ -1885,7 +1888,8 @@ vfs_vmio_release(struct buf *bp)
 			vm_page_try_to_cache(m);
 		vm_page_unlock(m);
 	}
-	VM_OBJECT_WUNLOCK(bp->b_bufobj->bo_object);
+	if (obj != NULL)
+		VM_OBJECT_WUNLOCK(obj);
 	
 	if (bp->b_bufsize) {
 		bufspacewakeup();
author	kib <kib@FreeBSD.org>	2014-12-15 11:00:56 +0000
committer	kib <kib@FreeBSD.org>	2014-12-15 11:00:56 +0000
commit	679b472095e0522991b6b16d01ec57aec95f9f55 (patch)
tree	9e8a673d9b8e17e7d766b531e6bfb7766d1cf196 /sys/kern/vfs_bio.c
parent	1eabc00156ab7d2214abe4d0bfb6ea2127985ced (diff)
download	FreeBSD-src-679b472095e0522991b6b16d01ec57aec95f9f55.zip FreeBSD-src-679b472095e0522991b6b16d01ec57aec95f9f55.tar.gz