From nobody Thu Nov 13 12:11:12 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d6fJ06ctqz6Gly3;
	Thu, 13 Nov 2025 12:11:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4d6fJ04ngPz3qY3;
	Thu, 13 Nov 2025 12:11:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1763035872;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=qNVVZR93X30QQQEKq4qeYufe61kCdigiMNiujcz6hwU=;
	b=VR7yrmbmKo9kcmRV+mpAPVHlqeK8TSwwjxJKX7bTabbcnRSwQesQoY1tyqD1tRJQH1Q0Pw
	FAw7WV3qW3cVTgnmFl5ZezgO6ta3kx4XlY8DZPpGnxVGMF34jG2Q/3uajgey+A2X//kDsB
	ng/KmfFQYaCBC3lJZ0TGUsjXFZyCGS+Xr6mVIcYsSXB3tY0Nyz04owO+Jbx8sVTVlBikcV
	jR8en37+dZIKDd9MdogUXRw1YtavJmifzuSgEH6Y5dX4sFIimLQqkTN2S87ILBYR+lWq7I
	ocVUaRVt97Haqf9kPJ67JmOTngGpD0/nb/E3KKlFFd5x9TwTqlTuSVJfpn/XBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1763035872;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=qNVVZR93X30QQQEKq4qeYufe61kCdigiMNiujcz6hwU=;
	b=kSNTcBDrdBYD0XK4P1s2Bkk+l6ncxZrDgYazNvoFUGJBL5sYGBxXoSyWC3r9k4/Y0z/3qh
	CS304zwkBoFVFwqXG/OwSHcxLRZCPZD5qz4IaPkVVjoJ932N1xkvzXPZzka1d8+REDdvKt
	PwNBsDHjhU8Kuu36e+jAkjCbgOkf7diZ0RlWPb+TsAzYbJm1pT2C1h0gr4Gx0EFPu3a4DP
	ZUDKs5+vDLY8I/RzRM5wj7S4T5yZdytXQUVOJhHxLrbVSuugpIgXorbV1rcNNeW5X8YIOH
	x694r9d2YMU7f3myVausKdsMtSn1cfuhawpf2IyKkKO/3kyNQZIc2SSXtZveow==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1763035872; a=rsa-sha256; cv=none;
	b=dglmeWXjdNBj5J6VRVG8tK/1XWN5zUkCm2tEAChwsg4MqoD+hiUOyEiLgY+PhWKmV8taGv
	XKbUfVe5Dv0VrNbDU5XhL7/lOyQcPA/1BUdyJ6he4mSilGg0e1NSJ0QPVzpTG+2bAbAj8a
	pcAAOVT/1o/9+MmI/B7vy+eaLEn+5kiVUZXkJtdtRHAju93LtwS7EKhQvlFBNWhAA74maY
	bptCfccPQrrkSfjDUj9FOhrahZf07Sk3elaX9fOAJT7VHoT1mhtEORl3iM34nZfRg8hDWL
	CJOFOnOV/NiIrwmrXqXxbtlEE1JvPLZVR4dgHOEjBjvlgo+kexHNGjLxjRJHsQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d6fJ04KF9z542;
	Thu, 13 Nov 2025 12:11:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5ADCBC7p073139;
	Thu, 13 Nov 2025 12:11:12 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5ADCBCTf073136;
	Thu, 13 Nov 2025 12:11:12 GMT
	(envelope-from git)
Date: Thu, 13 Nov 2025 12:11:12 GMT
Message-Id: <202511131211.5ADCBCTf073136@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Christos Margiolis <christos@FreeBSD.org>
Subject: git: 634e578ac7b0 - main - cuse: Fix cdevpriv bugs in
  cuse_client_open()
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: christos
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 634e578ac7b0a03ae25427c723c0da27e894a340
Auto-Submitted: auto-generated

The branch main has been updated by christos:

URL: https://cgit.FreeBSD.org/src/commit/?id=634e578ac7b0a03ae25427c723c0da27e894a340

commit 634e578ac7b0a03ae25427c723c0da27e894a340
Author:     Christos Margiolis <christos@FreeBSD.org>
AuthorDate: 2025-11-13 12:11:06 +0000
Commit:     Christos Margiolis <christos@FreeBSD.org>
CommitDate: 2025-11-13 12:11:06 +0000

    cuse: Fix cdevpriv bugs in cuse_client_open()
    
    If devfs_set_cdevpriv() fails, we will panic when we enter the
    cuse_client_free() callback, for a number of reasons:
    
    - pcc->server is not yet assigned, so we'll use a NULL pointer.
    - pcc has not yet been added to the pcs->hcli TAILQ, but we'll try to
      remove it.
    - pccmd->sx and pccmd->cv are not yet initializated, but we'll try to
      destroy them.
    
    Even if we'd get past all these somehow, we'd still get two errors in
    the devfs_set_cdevpriv() failure block:
    
    - We'll unref the server twice, once in cuse_client_free(), and again in
      cuse_client_open().
    - A double-free panic, since we'd be trying to free(pcc), which has
      already been freed in cuse_client_free().
    
    Fix all those issues. While here, also get rid of some unnecessary
    devfs_clear_cdevpriv().
    
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Reviewed by:    kib
    Differential Revision:  https://reviews.freebsd.org/D53708
---
 sys/fs/cuse/cuse.c | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/sys/fs/cuse/cuse.c b/sys/fs/cuse/cuse.c
index b2524324584a..b914b2d5017c 100644
--- a/sys/fs/cuse/cuse.c
+++ b/sys/fs/cuse/cuse.c
@@ -1516,13 +1516,6 @@ cuse_client_open(struct cdev *dev, int fflags, int devtype, struct thread *td)
 	}
 
 	pcc = malloc(sizeof(*pcc), M_CUSE, M_WAITOK | M_ZERO);
-	if (devfs_set_cdevpriv(pcc, &cuse_client_free)) {
-		printf("Cuse: Cannot set cdevpriv.\n");
-		/* drop reference on server */
-		cuse_server_unref(pcs);
-		free(pcc, M_CUSE);
-		return (ENOMEM);
-	}
 	pcc->fflags = fflags;
 	pcc->server_dev = pcsd;
 	pcc->server = pcs;
@@ -1553,10 +1546,12 @@ cuse_client_open(struct cdev *dev, int fflags, int devtype, struct thread *td)
 	}
 	cuse_server_unlock(pcs);
 
-	if (error) {
-		devfs_clear_cdevpriv();	/* XXX bugfix */
+	if (error != 0)
 		return (error);
-	}
+
+	if ((error = devfs_set_cdevpriv(pcc, &cuse_client_free)) != 0)
+		return (error);
+
 	pccmd = &pcc->cmds[CUSE_CMD_OPEN];
 
 	cuse_cmd_lock(pccmd);
@@ -1575,9 +1570,6 @@ cuse_client_open(struct cdev *dev, int fflags, int devtype, struct thread *td)
 
 	cuse_cmd_unlock(pccmd);
 
-	if (error)
-		devfs_clear_cdevpriv();	/* XXX bugfix */
-
 	return (error);
 }