svn commit: r240464 - head/sys/fs/deadfs
Konstantin Belousov
kib at FreeBSD.org
Thu Sep 13 13:05:46 UTC 2012
Author: kib
Date: Thu Sep 13 13:05:45 2012
New Revision: 240464
URL: http://svn.freebsd.org/changeset/base/240464
Log:
The deadfs VOPs for vop_ioctl and vop_bmap call itself recursively,
which is an elaborate way to cause kernel panic. Change the VOPs
implementation to return EBADF for a reclaimed vnode.
While the calls to vop_bmap should not reach deadfs, it is indeed
possible for vop_ioctl, because the VOP locking protocol is to pass
the vnode to VOP unlocked. The actual panic was observed when ioctl
was called on procfs filedescriptor which pointed to an exited
process.
Reported by: zont
Tested by: pho
MFC after: 1 week
Modified:
head/sys/fs/deadfs/dead_vnops.c
Modified: head/sys/fs/deadfs/dead_vnops.c
==============================================================================
--- head/sys/fs/deadfs/dead_vnops.c Thu Sep 13 12:55:10 2012 (r240463)
+++ head/sys/fs/deadfs/dead_vnops.c Thu Sep 13 13:05:45 2012 (r240464)
@@ -41,8 +41,6 @@
/*
* Prototypes for dead operations on vnodes.
*/
-static vop_bmap_t dead_bmap;
-static vop_ioctl_t dead_ioctl;
static vop_lookup_t dead_lookup;
static vop_open_t dead_open;
static vop_poll_t dead_poll;
@@ -56,12 +54,12 @@ struct vop_vector dead_vnodeops = {
.vop_access = VOP_EBADF,
.vop_advlock = VOP_EBADF,
- .vop_bmap = dead_bmap,
+ .vop_bmap = VOP_EBADF,
.vop_create = VOP_PANIC,
.vop_getattr = VOP_EBADF,
.vop_getwritemount = dead_getwritemount,
.vop_inactive = VOP_NULL,
- .vop_ioctl = dead_ioctl,
+ .vop_ioctl = VOP_EBADF,
.vop_link = VOP_PANIC,
.vop_lookup = dead_lookup,
.vop_mkdir = VOP_PANIC,
@@ -166,43 +164,6 @@ dead_write(ap)
}
/*
- * Device ioctl operation.
- */
-/* ARGSUSED */
-static int
-dead_ioctl(ap)
- struct vop_ioctl_args /* {
- struct vnode *a_vp;
- u_long a_command;
- caddr_t a_data;
- int a_fflag;
- struct ucred *a_cred;
- struct proc *a_p;
- } */ *ap;
-{
- /* XXX: Doesn't this just recurse back here ? */
- return (VOP_IOCTL_AP(ap));
-}
-
-/*
- * Wait until the vnode has finished changing state.
- */
-static int
-dead_bmap(ap)
- struct vop_bmap_args /* {
- struct vnode *a_vp;
- daddr_t a_bn;
- struct bufobj **a_bop;
- daddr_t *a_bnp;
- int *a_runp;
- int *a_runb;
- } */ *ap;
-{
-
- return (VOP_BMAP(ap->a_vp, ap->a_bn, ap->a_bop, ap->a_bnp, ap->a_runp, ap->a_runb));
-}
-
-/*
* Trivial poll routine that always returns POLLHUP.
* This is necessary so that a process which is polling a file
* gets notified when that file is revoke()d.
More information about the svn-src-head
mailing list