svn commit: r227952 - head/sys/kern
Konstantin Belousov
kib at FreeBSD.org
Thu Nov 24 20:34:06 UTC 2011
Author: kib
Date: Thu Nov 24 20:34:06 2011
New Revision: 227952
URL: http://svn.freebsd.org/changeset/base/227952
Log:
Fix a race between getvnode() dereferencing half-constructed file
and dupfdopen().
Reported and tested by: pho
MFC after: 3 days
Modified:
head/sys/kern/vfs_syscalls.c
Modified: head/sys/kern/vfs_syscalls.c
==============================================================================
--- head/sys/kern/vfs_syscalls.c Thu Nov 24 20:31:06 2011 (r227951)
+++ head/sys/kern/vfs_syscalls.c Thu Nov 24 20:34:06 2011 (r227952)
@@ -4344,7 +4344,20 @@ getvnode(struct filedesc *fdp, int fd, c
fp = fp_fromcap;
}
#endif /* CAPABILITIES */
- if (fp->f_vnode == NULL) {
+
+ /*
+ * The file could be not of the vnode type, or it may be not
+ * yet fully initialized, in which case the f_vnode pointer
+ * may be set, but f_ops is still badfileops. E.g.,
+ * devfs_open() transiently create such situation to
+ * facilitate csw d_fdopen().
+ *
+ * Dupfdopen() handling in kern_openat() installs the
+ * half-baked file into the process descriptor table, allowing
+ * other thread to dereference it. Guard against the race by
+ * checking f_ops.
+ */
+ if (fp->f_vnode == NULL || fp->f_ops == &badfileops) {
fdrop(fp, curthread);
return (EINVAL);
}
More information about the svn-src-head
mailing list