svn commit: r357574 - head/sys/kern

Wed Feb 5 16:09:21 UTC 2020

Author: markj
Date: Wed Feb  5 16:09:21 2020
New Revision: 357574
URL: https://svnweb.freebsd.org/changeset/base/357574

Log:
  Avoid releasing object PIP in vn_sendfile() if no pages were grabbed.
  
  sendfile(2) optionally takes a set of headers that get prepended to the
  file data.  If the request length is less than that of the headers,
  sendfile may not allocate an sfio structure, in which case its pointer
  is null and we should be careful not to dereference.  This was
  introduced in r356902.
  
  Reported by:	syzkaller
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/sys/kern/kern_sendfile.c

Modified: head/sys/kern/kern_sendfile.c
==============================================================================

--- head/sys/kern/kern_sendfile.c	Wed Feb  5 16:09:02 2020	(r357573)
+++ head/sys/kern/kern_sendfile.c	Wed Feb  5 16:09:21 2020	(r357574)
@@ -1060,8 +1060,10 @@ prepend_header:
 			 * we can send data right now without the
 			 * PRUS_NOTREADY flag.
 			 */
-			vm_object_pip_wakeup(sfio->obj);
-			free(sfio, M_TEMP);
+			if (sfio != NULL) {
+				vm_object_pip_wakeup(sfio->obj);
+				free(sfio, M_TEMP);
+			}
 #ifdef KERN_TLS
 			if (tls != NULL && tls->mode == TCP_TLS_MODE_SW) {
 				error = (*so->so_proto->pr_usrreqs->pru_send)
