From cd869a4a4264d97fea3fa87557bf8d06e7c86e31 Mon Sep 17 00:00:00 2001
From: kib <kib@FreeBSD.org>
Date: Fri, 15 May 2009 19:23:05 +0000
Subject: Devfs replaces file ops vector with devfs-specific one in
 devfs_open(), before the struct file is fully initialized in vn_open(), in
 particular, fp->f_vnode is NULL. Other thread calling file operation before
 f_vnode is set results in NULL pointer dereference in devvn_refthread().

Initialize f_vnode before calling d_fdopen() cdevsw method, that might
set file ops too.

Reported and tested by:	Chris Timmons <cwt networks cwu edu>
	(RELENG_7 version)
MFC after:	3 days
---
 sys/fs/devfs/devfs_vnops.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'sys/fs')

diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c
index ece9559..c637ea8 100644
--- a/sys/fs/devfs/devfs_vnops.c
+++ b/sys/fs/devfs/devfs_vnops.c
@@ -942,8 +942,10 @@ devfs_open(struct vop_open_args *ap)
 
 	fpop = td->td_fpop;
 	td->td_fpop = fp;
-	if (fp != NULL)
+	if (fp != NULL) {
 		fp->f_data = dev;
+		fp->f_vnode = vp;
+	}
 	if (dsw->d_fdopen != NULL)
 		error = dsw->d_fdopen(dev, ap->a_mode, td, fp);
 	else
-- 
cgit v1.1