From 10608e7d855a9c973b57055bfc2e87284c68ce9e Mon Sep 17 00:00:00 2001
From: kib <kib@FreeBSD.org>
Date: Thu, 13 Sep 2012 13:05:45 +0000
Subject: The deadfs VOPs for vop_ioctl and vop_bmap call itself recursively,
 which is an elaborate way to cause kernel panic. Change the VOPs
 implementation to return EBADF for a reclaimed vnode.

While the calls to vop_bmap should not reach deadfs, it is indeed
possible for vop_ioctl, because the VOP locking protocol is to pass
the vnode to VOP unlocked. The actual panic was observed when ioctl
was called on procfs filedescriptor which pointed to an exited
process.

Reported by:	zont
Tested by:	pho
MFC after:	1 week
---
 sys/fs/deadfs/dead_vnops.c | 43 ++-----------------------------------------
 1 file changed, 2 insertions(+), 41 deletions(-)

(limited to 'sys/fs')

diff --git a/sys/fs/deadfs/dead_vnops.c b/sys/fs/deadfs/dead_vnops.c
index e255654..9a107dd 100644
--- a/sys/fs/deadfs/dead_vnops.c
+++ b/sys/fs/deadfs/dead_vnops.c
@@ -41,8 +41,6 @@
 /*
  * Prototypes for dead operations on vnodes.
  */
-static vop_bmap_t	dead_bmap;
-static vop_ioctl_t	dead_ioctl;
 static vop_lookup_t	dead_lookup;
 static vop_open_t	dead_open;
 static vop_poll_t	dead_poll;
@@ -56,12 +54,12 @@ struct vop_vector dead_vnodeops = {
 
 	.vop_access =		VOP_EBADF,
 	.vop_advlock =		VOP_EBADF,
-	.vop_bmap =		dead_bmap,
+	.vop_bmap =		VOP_EBADF,
 	.vop_create =		VOP_PANIC,
 	.vop_getattr =		VOP_EBADF,
 	.vop_getwritemount =	dead_getwritemount,
 	.vop_inactive =		VOP_NULL,
-	.vop_ioctl =		dead_ioctl,
+	.vop_ioctl =		VOP_EBADF,
 	.vop_link =		VOP_PANIC,
 	.vop_lookup =		dead_lookup,
 	.vop_mkdir =		VOP_PANIC,
@@ -166,43 +164,6 @@ dead_write(ap)
 }
 
 /*
- * Device ioctl operation.
- */
-/* ARGSUSED */
-static int
-dead_ioctl(ap)
-	struct vop_ioctl_args /* {
-		struct vnode *a_vp;
-		u_long  a_command;
-		caddr_t  a_data;
-		int  a_fflag;
-		struct ucred *a_cred;
-		struct proc *a_p;
-	} */ *ap;
-{
-	/* XXX: Doesn't this just recurse back here ? */
-	return (VOP_IOCTL_AP(ap));
-}
-
-/*
- * Wait until the vnode has finished changing state.
- */
-static int
-dead_bmap(ap)
-	struct vop_bmap_args /* {
-		struct vnode *a_vp;
-		daddr_t  a_bn;
-		struct bufobj **a_bop;
-		daddr_t *a_bnp;
-		int *a_runp;
-		int *a_runb;
-	} */ *ap;
-{
-
-	return (VOP_BMAP(ap->a_vp, ap->a_bn, ap->a_bop, ap->a_bnp, ap->a_runp, ap->a_runb));
-}
-
-/*
  * Trivial poll routine that always returns POLLHUP.
  * This is necessary so that a process which is polling a file
  * gets notified when that file is revoke()d.
-- 
cgit v1.1