From nobody Fri Mar 24 17:47:41 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PjqRd5zm6z40sfR; Fri, 24 Mar 2023 17:47:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PjqRd5HHhz4T16; Fri, 24 Mar 2023 17:47:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1679680061; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TmPd1jKZ5tGF3M973jKTIawNIiL9CdW/6++kBOAqWmk=; b=D3wpULD7ATcu47zgZzYQKvN4fJwmXo1gZhRil6ue3t61UHEyCRGdHkiz4+Hl1S+eNy+r81 pL9K3Gb4cKhq3JGst3qoAo0RRQ/PP7Jpcqf5anf17Ji36ext8P2RcYSWZrmiX9eHQR3zZx S0TIU/qMF1HnD7fKjr34XAIO8kFSkATrEqKtDZ5x9pfO1yu9EYKJfTHMD7elm2qn+Wqpxv 2RADreysun+3GQt79EshaIcGRdbtcqhIKwQjDBGJHn9ETJk13QZsDav7zvrawDoSo4SwaH fObph1X2be8/NzeKvb5zpYiigz4YujOsEZk+hXRV+weCM9Egx2CTctnFgs51tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1679680061; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=TmPd1jKZ5tGF3M973jKTIawNIiL9CdW/6++kBOAqWmk=; b=skFXDKEYSaVL8f/tQpQp6yO1xwqFcqtE4dervWw+08zaA1X1TLmvGUs5RsEuFAo+yM2hwm 4HFHVgYhY79/ERXhO7nHEa15sNu99TxleLqvAhedsB+NJSA3Sp418N8UFHnQKqgxdGRooS Ul0th+A4CzWCeoJ5IynPUwSvPM4otL+Sv8eB9LNB2BMVRoYN/ei62m17Z+MZmYP9ZmzJJb o3GrT1QdBLuK9uY5cEQMiF26kE7tHTKMXsq7Jz9W6AH7tqXZRVphladOLdbK/H3hev56ip Uw8j7kEYSmA8f69SWzwMv3m0qU/cVT6cGfnaGTbacoN3tm1HnjrsWLZP6sdUFw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1679680061; a=rsa-sha256; cv=none; b=SWQqlpJFTQZZ2wIqFha4N1RxGm3gTlK7EGqy0BWsaNj63R3HrudnpTQyJTRXIS+usb4ei0 jCLweedBac3SuiOJIro15ljlB42m+6MFoboW1QhqBYZH5FN30l3wyvJQQnYn3CyezR6/QL ES4S1etMKpb3OuKCUcylhgBt6KKJTrXp0BZDM03AWbvAv15E5jECbTM1QEhGJzDUR6gC4r 5pSyd4SM6ZVRofr66nzX9Bvt1EO8vYzRS6SnfhLQIKPjCRnc/oMIdy3GRRUFn7WmrWc/bb 0iftiCyShgBqcq6Lgmp/Occ/H2ifQ3sXM4zQ+tply3sP9bxDkBHzOKUuJ1Otvw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PjqRd4HdRzRxw; Fri, 24 Mar 2023 17:47:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32OHlfgw075480; Fri, 24 Mar 2023 17:47:41 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32OHlfwO075479; Fri, 24 Mar 2023 17:47:41 GMT (envelope-from git) Date: Fri, 24 Mar 2023 17:47:41 GMT Message-Id: <202303241747.32OHlfwO075479@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Konstantin Belousov Subject: git: 51b8ffb95c4f - main - fdesc_allocvp(): fix potential use after free List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kib X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 51b8ffb95c4fe45f6825d551bd093889820a8115 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=51b8ffb95c4fe45f6825d551bd093889820a8115 commit 51b8ffb95c4fe45f6825d551bd093889820a8115 Author: Konstantin Belousov AuthorDate: 2023-03-21 21:24:06 +0000 Commit: Konstantin Belousov CommitDate: 2023-03-24 17:46:53 +0000 fdesc_allocvp(): fix potential use after free Just owning the interlock is not enough for vget() to operate on the vnode race-free with vgone(), the vnode should be held. Use vget_prep()/vget_finish() to avoid vholding the vnode explicitly, and drop LK_INTERLOCK. Reviewed by: markj Tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D39207 --- sys/fs/fdescfs/fdesc_vnops.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sys/fs/fdescfs/fdesc_vnops.c b/sys/fs/fdescfs/fdesc_vnops.c index d3c7951672cf..afefaff8acf4 100644 --- a/sys/fs/fdescfs/fdesc_vnops.c +++ b/sys/fs/fdescfs/fdesc_vnops.c @@ -147,6 +147,7 @@ fdesc_allocvp(fdntype ftype, unsigned fd_fd, int ix, struct mount *mp, struct fdhashhead *fc; struct fdescnode *fd, *fd2; struct vnode *vp, *vp2; + enum vgetstate vgs; int error; fc = FD_NHASH(ix); @@ -166,9 +167,9 @@ loop: if (fd->fd_ix == ix && fd->fd_vnode->v_mount == mp) { /* Get reference to vnode in case it's being free'd */ vp = fd->fd_vnode; - VI_LOCK(vp); + vgs = vget_prep(vp); mtx_unlock(&fdesc_hashmtx); - if (vget(vp, LK_EXCLUSIVE | LK_INTERLOCK)) + if (vget_finish(vp, LK_EXCLUSIVE, vgs) != 0) goto loop; *vpp = vp; return (0); @@ -218,9 +219,9 @@ loop: if (fd2->fd_ix == ix && fd2->fd_vnode->v_mount == mp) { /* Get reference to vnode in case it's being free'd */ vp2 = fd2->fd_vnode; - VI_LOCK(vp2); + vgs = vget_prep(vp2); mtx_unlock(&fdesc_hashmtx); - error = vget(vp2, LK_EXCLUSIVE | LK_INTERLOCK); + error = vget_finish(vp2, LK_EXCLUSIVE, vgs); /* Someone beat us, dec use count and wait for reclaim */ vgone(vp); vput(vp);