Author: markj Date: Thu Mar 19 15:40:05 2020 New Revision: 359133 URL: https://svnweb.freebsd.org/changeset/base/359133
Log: kern_dup(): Call filecaps_free_prep() in a write section. filecaps_free_prep() bzeros the capabilities structure and we need to be careful to synchronize with unlocked readers, which expect a consistent rights structure. Reviewed by: kib, mjg Reported by: syzbot+5f30b507f91ddedde...@syzkaller.appspotmail.com MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D24120 Modified: head/sys/kern/kern_descrip.c Modified: head/sys/kern/kern_descrip.c ============================================================================== --- head/sys/kern/kern_descrip.c Thu Mar 19 15:39:45 2020 (r359132) +++ head/sys/kern/kern_descrip.c Thu Mar 19 15:40:05 2020 (r359133) @@ -968,7 +968,6 @@ kern_dup(struct thread *td, u_int mode, int flags, int newfde = &fdp->fd_ofiles[new]; delfp = newfde->fde_file; - oioctls = filecaps_free_prep(&newfde->fde_caps); nioctls = filecaps_copy_prep(&oldfde->fde_caps); /* @@ -977,6 +976,7 @@ kern_dup(struct thread *td, u_int mode, int flags, int #ifdef CAPABILITIES seqc_write_begin(&newfde->fde_seqc); #endif + oioctls = filecaps_free_prep(&newfde->fde_caps); memcpy(newfde, oldfde, fde_change_size); filecaps_copy_finish(&oldfde->fde_caps, &newfde->fde_caps, nioctls); _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
