svn commit: r362923 - head/sys/fs/devfs

[Mateusz Guzik]

Author: mjg
Date: Sat Jul  4 06:27:28 2020
New Revision: 362923
URL: https://svnweb.freebsd.org/changeset/base/362923

Log:
  devfs: fix a vnode use-after-free in devfs_ioctl
  
  The vnode to be replaced was read with a shared lock, meaning 2 racing threads
  can find the same one.
  
  While here clean it up a little bit.

Modified:
  head/sys/fs/devfs/devfs_vnops.c

Modified: head/sys/fs/devfs/devfs_vnops.c
==============================================================================
--- head/sys/fs/devfs/devfs_vnops.c	Sat Jul  4 06:25:41 2020	(r362922)
+++ head/sys/fs/devfs/devfs_vnops.c	Sat Jul  4 06:27:28 2020	(r362923)
@@ -787,6 +787,7 @@ devfs_ioctl(struct vop_ioctl_args *ap)
 	struct vnode *vpold, *vp;
 	struct cdevsw *dsw;
 	struct thread *td;
+	struct session *sess;
 	struct cdev *dev;
 	int error, ref, i;
 	const char *p;
@@ -836,18 +837,18 @@ devfs_ioctl(struct vop_ioctl_args *ap)
 		 * nothing left to do.
 		 */
 		sx_slock(&proctree_lock);
-		if (td->td_proc->p_session->s_ttyvp == vp ||
-		    td->td_proc->p_session->s_ttyp == NULL) {
+		sess = td->td_proc->p_session;
+		if (sess->s_ttyvp == vp || sess->s_ttyp == NULL) {
 			sx_sunlock(&proctree_lock);
 			return (0);
 		}
 
-		vpold = td->td_proc->p_session->s_ttyvp;
-		VREF(vp);
-		SESS_LOCK(td->td_proc->p_session);
-		td->td_proc->p_session->s_ttyvp = vp;
-		td->td_proc->p_session->s_ttydp = cdev2priv(dev);
-		SESS_UNLOCK(td->td_proc->p_session);
+		vrefact(vp);
+		SESS_LOCK(sess);
+		vpold = sess->s_ttyvp;
+		sess->s_ttyvp = vp;
+		sess->s_ttydp = cdev2priv(dev);
+		SESS_UNLOCK(sess);
 
 		sx_sunlock(&proctree_lock);