The branch stable/13 has been updated by kib:
URL:
https://cgit.FreeBSD.org/src/commit/?id=35b68d0ac4d3b88ce8e3fa866e42e8842f5227ef
commit 35b68d0ac4d3b88ce8e3fa866e42e8842f5227ef
Author: Konstantin Belousov <k...@freebsd.org>
AuthorDate: 2023-03-21 21:24:06 +0000
Commit: Konstantin Belousov <k...@freebsd.org>
CommitDate: 2023-03-31 00:47:52 +0000
fdesc_allocvp(): fix potential use after free
(cherry picked from commit 51b8ffb95c4fe45f6825d551bd093889820a8115)
---
sys/fs/fdescfs/fdesc_vnops.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/sys/fs/fdescfs/fdesc_vnops.c b/sys/fs/fdescfs/fdesc_vnops.c
index 087f9b2551d1..17320b2c8354 100644
--- a/sys/fs/fdescfs/fdesc_vnops.c
+++ b/sys/fs/fdescfs/fdesc_vnops.c
@@ -160,6 +160,7 @@ fdesc_allocvp(fdntype ftype, unsigned fd_fd, int ix, struct
mount *mp,
struct fdescnode *fd, *fd2;
struct vnode *vp, *vp2;
struct thread *td;
+ enum vgetstate vgs;
int error;
td = curthread;
@@ -180,9 +181,9 @@ loop:
if (fd->fd_ix == ix && fd->fd_vnode->v_mount == mp) {
/* Get reference to vnode in case it's being free'd */
vp = fd->fd_vnode;
- VI_LOCK(vp);
+ vgs = vget_prep(vp);
mtx_unlock(&fdesc_hashmtx);
- if (vget(vp, LK_EXCLUSIVE | LK_INTERLOCK))
+ if (vget_finish(vp, LK_EXCLUSIVE, vgs) != 0)
goto loop;
*vpp = vp;
return (0);
@@ -230,9 +231,9 @@ loop:
if (fd2->fd_ix == ix && fd2->fd_vnode->v_mount == mp) {
/* Get reference to vnode in case it's being free'd */
vp2 = fd2->fd_vnode;
- VI_LOCK(vp2);
+ vgs = vget_prep(vp2);
mtx_unlock(&fdesc_hashmtx);
- error = vget(vp2, LK_EXCLUSIVE | LK_INTERLOCK);
+ error = vget_finish(vp2, LK_EXCLUSIVE, vgs);
/* Someone beat us, dec use count and wait for reclaim
*/
vgone(vp);
vput(vp);
