svn commit: r228033 - stable/9/sys/kern
Konstantin Belousov
kib at FreeBSD.org
Sun Nov 27 18:56:04 UTC 2011
Author: kib
Date: Sun Nov 27 18:56:04 2011
New Revision: 228033
URL: http://svn.freebsd.org/changeset/base/228033
Log:
MFC r227952:
Fix a race between getvnode() dereferencing half-constructed file
and dupfdopen().
Approved by: re (bz)
Modified:
stable/9/sys/kern/vfs_syscalls.c
Directory Properties:
stable/9/sys/ (props changed)
Modified: stable/9/sys/kern/vfs_syscalls.c
==============================================================================
--- stable/9/sys/kern/vfs_syscalls.c Sun Nov 27 18:49:16 2011 (r228032)
+++ stable/9/sys/kern/vfs_syscalls.c Sun Nov 27 18:56:04 2011 (r228033)
@@ -4342,7 +4342,20 @@ getvnode(struct filedesc *fdp, int fd, c
fp = fp_fromcap;
}
#endif /* CAPABILITIES */
- if (fp->f_vnode == NULL) {
+
+ /*
+ * The file could be not of the vnode type, or it may be not
+ * yet fully initialized, in which case the f_vnode pointer
+ * may be set, but f_ops is still badfileops. E.g.,
+ * devfs_open() transiently create such situation to
+ * facilitate csw d_fdopen().
+ *
+ * Dupfdopen() handling in kern_openat() installs the
+ * half-baked file into the process descriptor table, allowing
+ * other thread to dereference it. Guard against the race by
+ * checking f_ops.
+ */
+ if (fp->f_vnode == NULL || fp->f_ops == &badfileops) {
fdrop(fp, curthread);
return (EINVAL);
}
More information about the svn-src-stable-9
mailing list