Page MenuHomeFreeBSD
Differential D53708

cuse: Fix cdevpriv bugs in cuse_client_open()
ClosedPublic
Actions

Authored by christos on Wed, Nov 12, 2:16 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Nov 15, 10:18 AM
Unknown Object (File)
Sat, Nov 15, 5:01 AM
Unknown Object (File)
Sat, Nov 15, 2:35 AM
Unknown Object (File)
Sat, Nov 15, 2:35 AM
Unknown Object (File)
Sat, Nov 15, 12:12 AM
Unknown Object (File)
Thu, Nov 13, 6:38 AM
Unknown Object (File)
Thu, Nov 13, 5:52 AM
Unknown Object (File)
Thu, Nov 13, 1:08 AM
View All 17 Files
Subscribers
imp

Details

Reviewers
markj
emaste
kib
Commits
rG634e578ac7b0: cuse: Fix cdevpriv bugs in cuse_client_open()
Summary

If devfs_set_cdevpriv() fails, we will panic when we enter the
cuse_client_free() callback, for a number of reasons:

  • pcc->server is not yet assigned, so we'll use a NULL pointer.
  • pcc has not yet been added to the pcs->hcli TAILQ, but we'll try to remove it.
  • pccmd->sx and pccmd->cv are not yet initializated, but we'll try to destroy them.

Even if we'd get past all these somehow, we'd still get two errors in
the devfs_set_cdevpriv() failure block:

  • We'll unref the server twice, once in cuse_client_free(), and again in cuse_client_open().
  • A double-free panic, since we'd be trying to free(pcc), which has already been freed in cuse_client_free().

Fix all those issues. While here, also get rid of some unnecessary
devfs_clear_cdevpriv().

Sponsored by: The FreeBSD Foundation
MFC after: 1 week

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

christos created this revision.Wed, Nov 12, 2:16 PM
Herald added a subscriber: imp. · View Herald TranscriptWed, Nov 12, 2:16 PM
christos requested review of this revision.Wed, Nov 12, 2:16 PM
Harbormaster completed remote builds in B68569: Diff 166295.Wed, Nov 12, 2:16 PM
kib added inline comments.Wed, Nov 12, 11:09 PM
sys/fs/cuse/cuse.c
1552

Why returning ENOMEM instead of holistic error returned from devfs_set_cdevpriv()? And why the printf() is needed? If so inclined, use EXTERROR() to add some more words.

1553

If error is != 0, why setting cdevpriv above at all?

christos updated this revision to Diff 166334.Wed, Nov 12, 11:28 PM
christos marked 2 inline comments as done.

Address kib's comments.

Harbormaster completed remote builds in B68584: Diff 166334.Wed, Nov 12, 11:28 PM
kib accepted this revision.Wed, Nov 12, 11:32 PM
kib added inline comments.
sys/fs/cuse/cuse.c
1549
This revision is now accepted and ready to land.Wed, Nov 12, 11:32 PM
Closed by commit rG634e578ac7b0: cuse: Fix cdevpriv bugs in cuse_client_open() (authored by christos). · Explain WhyThu, Nov 13, 12:11 PM
This revision was automatically updated to reflect the committed changes.
christos added a commit: rG634e578ac7b0: cuse: Fix cdevpriv bugs in cuse_client_open().

Revision Contents
Changeset List

PathSize
sys/
fs/
cuse/
18 lines

Diff 166355

View Options

sys/fs/cuse/cuse.c

Loading...