diff options
Diffstat (limited to 'sys/kern/vfs_aio.c')
| -rw-r--r-- | sys/kern/vfs_aio.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c index bffdf71..9532ff2 100644 --- a/sys/kern/vfs_aio.c +++ b/sys/kern/vfs_aio.c @@ -1124,8 +1124,19 @@ aio_qphysio(struct proc *p, struct aiocblist *aiocbe) } } - /* Bring buffer into kernel space. */ - vmapbuf(bp); + /* + * Bring buffer into kernel space. + * + * Note that useracc() alone is not a + * sufficient test. vmapbuf() can still fail + * due to a smaller file mapped into a larger + * area of VM, or if userland races against + * vmapbuf() after the useracc() check. + */ + if (vmapbuf(bp) < 0) { + error = EFAULT; + goto doerror; + } s = splbio(); aiocbe->bp = bp; |
