svn commit: r290705 - stable/10/sys/kern

[Hans Petter Selasky]

Author: hselasky
Date: Thu Nov 12 08:47:10 2015
New Revision: 290705
URL: https://svnweb.freebsd.org/changeset/base/290705

Log:
  MFC r290140:
  Add missing NULL check in physio().
  
  When destroying a character device the si_devsw field is set to NULL
  before all references are gone, to indicate the character device is
  going away. This can cause a NULL-dereference fault inside physio().
  
  The callers of physio() should own a thread reference on the cdev and
  if si_devsw is seen as non-NULL, it is usable during the execution of
  the function. Else an ENXIO error code is returned.
  
  Reviewed by:	kib

Modified:
  stable/10/sys/kern/kern_physio.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/kern/kern_physio.c
==============================================================================
--- stable/10/sys/kern/kern_physio.c	Thu Nov 12 05:53:32 2015	(r290704)
+++ stable/10/sys/kern/kern_physio.c	Thu Nov 12 08:47:10 2015	(r290705)
@@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$");
 int
 physio(struct cdev *dev, struct uio *uio, int ioflag)
 {
+	struct cdevsw *csw;
 	struct buf *pbuf;
 	struct bio *bp;
 	struct vm_page **pages;
@@ -46,6 +47,11 @@ physio(struct cdev *dev, struct uio *uio
 	int error, i, npages, maxpages;
 	vm_prot_t prot;
 
+	csw = dev->si_devsw;
+	/* check if character device is being destroyed */
+	if (csw == NULL)
+		return (ENXIO);
+
 	/* XXX: sanity check */
 	if(dev->si_iosize_max < PAGE_SIZE) {
 		printf("WARNING: %s si_iosize_max=%d, using DFLTPHYS.\n",
@@ -165,7 +171,7 @@ physio(struct cdev *dev, struct uio *uio
 				}
 			}
 
-			dev->si_devsw->d_strategy(bp);
+			csw->d_strategy(bp);
 			if (uio->uio_rw == UIO_READ)
 				biowait(bp, "physrd");
 			else