Author: kib
Date: Sun Nov 27 19:02:18 2011
New Revision: 228035
URL: http://svn.freebsd.org/changeset/base/228035
Log:
MFC r227952:
Fix a race between getvnode() dereferencing half-constructed file
and dupfdopen().
Approved by: re (bz)
Modified:
releng/9.0/sys/kern/vfs_syscalls.c
Directory Properties:
releng/9.0/sys/ (props changed)
Modified: releng/9.0/sys/kern/vfs_syscalls.c
==============================================================================
--- releng/9.0/sys/kern/vfs_syscalls.c Sun Nov 27 19:00:52 2011
(r228034)
+++ releng/9.0/sys/kern/vfs_syscalls.c Sun Nov 27 19:02:18 2011
(r228035)
@@ -4342,7 +4342,20 @@ getvnode(struct filedesc *fdp, int fd, c
fp = fp_fromcap;
}
#endif /* CAPABILITIES */
- if (fp->f_vnode == NULL) {
+
+ /*
+ * The file could be not of the vnode type, or it may be not
+ * yet fully initialized, in which case the f_vnode pointer
+ * may be set, but f_ops is still badfileops. E.g.,
+ * devfs_open() transiently create such situation to
+ * facilitate csw d_fdopen().
+ *
+ * Dupfdopen() handling in kern_openat() installs the
+ * half-baked file into the process descriptor table, allowing
+ * other thread to dereference it. Guard against the race by
+ * checking f_ops.
+ */
+ if (fp->f_vnode == NULL || fp->f_ops == &badfileops) {
fdrop(fp, curthread);
return (EINVAL);
}
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
