Author: mjg
Date: Sat Jul 4 06:27:28 2020
New Revision: 362923
URL: https://svnweb.freebsd.org/changeset/base/362923
Log:
devfs: fix a vnode use-after-free in devfs_ioctl
The vnode to be replaced was read with a shared lock, meaning 2 racing threads
can find the same one.
While here clean it up a little bit.
Modified:
head/sys/fs/devfs/devfs_vnops.c
Modified: head/sys/fs/devfs/devfs_vnops.c
==============================================================================
--- head/sys/fs/devfs/devfs_vnops.c Sat Jul 4 06:25:41 2020
(r362922)
+++ head/sys/fs/devfs/devfs_vnops.c Sat Jul 4 06:27:28 2020
(r362923)
@@ -787,6 +787,7 @@ devfs_ioctl(struct vop_ioctl_args *ap)
struct vnode *vpold, *vp;
struct cdevsw *dsw;
struct thread *td;
+ struct session *sess;
struct cdev *dev;
int error, ref, i;
const char *p;
@@ -836,18 +837,18 @@ devfs_ioctl(struct vop_ioctl_args *ap)
* nothing left to do.
*/
sx_slock(&proctree_lock);
- if (td->td_proc->p_session->s_ttyvp == vp ||
- td->td_proc->p_session->s_ttyp == NULL) {
+ sess = td->td_proc->p_session;
+ if (sess->s_ttyvp == vp || sess->s_ttyp == NULL) {
sx_sunlock(&proctree_lock);
return (0);
}
- vpold = td->td_proc->p_session->s_ttyvp;
- VREF(vp);
- SESS_LOCK(td->td_proc->p_session);
- td->td_proc->p_session->s_ttyvp = vp;
- td->td_proc->p_session->s_ttydp = cdev2priv(dev);
- SESS_UNLOCK(td->td_proc->p_session);
+ vrefact(vp);
+ SESS_LOCK(sess);
+ vpold = sess->s_ttyvp;
+ sess->s_ttyvp = vp;
+ sess->s_ttydp = cdev2priv(dev);
+ SESS_UNLOCK(sess);
sx_sunlock(&proctree_lock);
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
