On 20/06/17(Tue) 13:51, Gerhard Roth wrote: > Hi, > > file pointer may be incompletely initialized after falloc(). For example, > sys_socket() initializes 'f_flag', 'f_type', and 'f_ops' but may sleep > then in socreate() before assigning 'f_data'. > > That is why there is the FIF_LARVAL flag, that is check by the macro > FILE_IS_USABLE(). Of the three different operations sysctl_file() > implements, two of them (namely KERN_FILE_BYPID and KERN_FILE_BYUID) > use the FILE_IS_USABLE() to keep hand off incomplete file pointers. > Yet the third operation (KERN_FILE_BYFILE) doesn't. That can yield > a fault when dereferencing fp->f_data. > > The fix is rather straightforward.
ok mpi@ > Index: sys/kern/kern_sysctl.c > =================================================================== > RCS file: /cvs/src/sys/kern/kern_sysctl.c,v > retrieving revision 1.328 > diff -u -p -u -p -r1.328 kern_sysctl.c > --- sys/kern/kern_sysctl.c 14 Jun 2017 03:00:40 -0000 1.328 > +++ sys/kern/kern_sysctl.c 20 Jun 2017 11:31:40 -0000 > @@ -1327,6 +1327,7 @@ sysctl_file(int *name, u_int namelen, ch > FREF(fp); > do { > if (fp->f_count > 1 && /* 0, +1 for our FREF() */ > + FILE_IS_USABLE(fp) && > (arg == 0 || fp->f_type == arg)) { > int af, skip = 0; > if (arg == DTYPE_SOCKET && fp->f_type == arg) { >