From nobody Fri Mar 31 00:59:20 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Pnhkx200Jz42dDV; Fri, 31 Mar 2023 00:59:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Pnhkx1WmLz3L5C; Fri, 31 Mar 2023 00:59:21 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1680224361; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y9xOCFImd8CKGy0RlZ8jl+1ZP3Si0kTGLDgmrtZAND0=; b=wSVq2i+MfhwNfq4FpRwKz2UYuJbGAi8LHVMa/1S937K73AhAt/DvHaGpRrb//fpRoQ14QO y4Nwij2qPlHJMO7E+QXTxo7eeZQnEBj5KHyuhoDJt6tgmltW6uQQIxwKGUbSSXex+VXuHR bfiXk6JlRj+rj1R6gBJMBQLEeA54lkDsbCIxDKo2zimHfpiZzrHqENGeDS4SUptUliMEde 0m01JrouuwPcgEtDSvcnZ6pHskRoSvrEH7STtzvejM/7I5xazz4mIUp4EYS3KFO+cZv0Tp /aR4uqgba5hhlkCvPAGkKFFpvkXB0QpimpdpFg6aNC0bSYX8cXRaeM1UWmhZ1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1680224361; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y9xOCFImd8CKGy0RlZ8jl+1ZP3Si0kTGLDgmrtZAND0=; b=FiieJ+yZt/oyzsbCEpgI25BHJcajjcPo6RU4H3xlMmW4vN4KMFZRKkQnv3fTIOslQ/wvMw Bd9fV3UOTHuLczynSFgPXsMKEXeynx6cim9ZaKDhHwvQJEGhMzlzw1B4GP3N/fIkhTXBuM +9KwUXuYoT//Ugk6g5aEoPDx4SjrNV8ZPk8xGGk3Iv/FYc1j3K4ptaAHT4oL4A+pWm5Ag+ ymHHWV6RslyZzJEq33QHmM3CdAMN6TJixozBuoJ0T+ZkCFWKVI35pA5PQ8oJbMJW7FeW6z Gyv9QZ+WXz7WUaG6VVtRMBV75DDBr4WHcWPXiH0B8tPgVE2FHJ/Sfwl5F5Z8Cw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1680224361; a=rsa-sha256; cv=none; b=wzi881cm2uSMJcBLB+QAmtrkffk03ZUrP03EKtdbdlRKDJSQC9muwOcNwBQIoo+Sqrrqta pIQuhn4DZSjvAnE9su8vzBJAv2ScUgzLATyglwEaeiWrc2trsvoiAlGWRcME/br4clpgBT +XXb6SQZDLXeMhBunksNdoff9lKsAi+j4Fl4RFa2Lv7lUf662prNB/j7VC0tUhXYv1SH1X DLLO25j52f6GoDUIJoROEN/mKmJNEbxixdv6Wp/mTcK3sEw1HoaXWY///McnP7dLYyVOsT rMosy3BDgnolQT9JmJ6az7DTDvZL1xHr6AnELYaxCzuYPwUwLPNWumfPYtylgQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Pnhkx0KXBzYY2; Fri, 31 Mar 2023 00:59:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32V0xKcF001645; Fri, 31 Mar 2023 00:59:20 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32V0xK3F001644; Fri, 31 Mar 2023 00:59:20 GMT (envelope-from git) Date: Fri, 31 Mar 2023 00:59:20 GMT Message-Id: <202303310059.32V0xK3F001644@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Konstantin Belousov Subject: git: 35b68d0ac4d3 - stable/13 - fdesc_allocvp(): fix potential use after free List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kib X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 35b68d0ac4d3b88ce8e3fa866e42e8842f5227ef Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=35b68d0ac4d3b88ce8e3fa866e42e8842f5227ef commit 35b68d0ac4d3b88ce8e3fa866e42e8842f5227ef Author: Konstantin Belousov AuthorDate: 2023-03-21 21:24:06 +0000 Commit: Konstantin Belousov CommitDate: 2023-03-31 00:47:52 +0000 fdesc_allocvp(): fix potential use after free (cherry picked from commit 51b8ffb95c4fe45f6825d551bd093889820a8115) --- sys/fs/fdescfs/fdesc_vnops.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sys/fs/fdescfs/fdesc_vnops.c b/sys/fs/fdescfs/fdesc_vnops.c index 087f9b2551d1..17320b2c8354 100644 --- a/sys/fs/fdescfs/fdesc_vnops.c +++ b/sys/fs/fdescfs/fdesc_vnops.c @@ -160,6 +160,7 @@ fdesc_allocvp(fdntype ftype, unsigned fd_fd, int ix, struct mount *mp, struct fdescnode *fd, *fd2; struct vnode *vp, *vp2; struct thread *td; + enum vgetstate vgs; int error; td = curthread; @@ -180,9 +181,9 @@ loop: if (fd->fd_ix == ix && fd->fd_vnode->v_mount == mp) { /* Get reference to vnode in case it's being free'd */ vp = fd->fd_vnode; - VI_LOCK(vp); + vgs = vget_prep(vp); mtx_unlock(&fdesc_hashmtx); - if (vget(vp, LK_EXCLUSIVE | LK_INTERLOCK)) + if (vget_finish(vp, LK_EXCLUSIVE, vgs) != 0) goto loop; *vpp = vp; return (0); @@ -230,9 +231,9 @@ loop: if (fd2->fd_ix == ix && fd2->fd_vnode->v_mount == mp) { /* Get reference to vnode in case it's being free'd */ vp2 = fd2->fd_vnode; - VI_LOCK(vp2); + vgs = vget_prep(vp2); mtx_unlock(&fdesc_hashmtx); - error = vget(vp2, LK_EXCLUSIVE | LK_INTERLOCK); + error = vget_finish(vp2, LK_EXCLUSIVE, vgs); /* Someone beat us, dec use count and wait for reclaim */ vgone(vp); vput(vp);