Module Name: src
Committed By: maxv
Date: Sun Jun 22 18:32:27 UTC 2014
Modified Files:
src/sys/kern: vfs_vnops.c
Log Message:
Fix a NULL pointer dereference after a loooong discussion with dholland@,
hannken@, blymn@ and martin@.
This bug would panic the system when veriexec is set to the VERIEXEC_LOCKDOWN
mode (only settable from root).
To generate a diff of this commit:
cvs rdiff -u -r1.189 -r1.190 src/sys/kern/vfs_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/vfs_vnops.c
diff -u src/sys/kern/vfs_vnops.c:1.189 src/sys/kern/vfs_vnops.c:1.190
--- src/sys/kern/vfs_vnops.c:1.189 Thu Feb 27 16:51:38 2014
+++ src/sys/kern/vfs_vnops.c Sun Jun 22 18:32:27 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: vfs_vnops.c,v 1.189 2014/02/27 16:51:38 hannken Exp $ */
+/* $NetBSD: vfs_vnops.c,v 1.190 2014/06/22 18:32:27 maxv Exp $ */
/*-
* Copyright (c) 2009 The NetBSD Foundation, Inc.
@@ -66,7 +66,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_vnops.c,v 1.189 2014/02/27 16:51:38 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_vnops.c,v 1.190 2014/06/22 18:32:27 maxv Exp $");
#include "veriexec.h"
@@ -171,8 +171,25 @@ vn_open(struct nameidata *ndp, int fmode
#if NVERIEXEC > 0
error = veriexec_openchk(l, ndp->ni_vp, pathstring, fmode);
- if (error)
- goto bad;
+ if (error) {
+ /* We have to release the locks ourselves */
+ if (fmode & O_CREAT) {
+ if (vp == NULL) {
+ vput(ndp->ni_dvp);
+ } else {
+ VOP_ABORTOP(ndp->ni_dvp, &ndp->ni_cnd);
+ if (ndp->ni_dvp == ndp->ni_vp)
+ vrele(ndp->ni_dvp);
+ else
+ vput(ndp->ni_dvp);
+ ndp->ni_dvp = NULL;
+ vput(vp);
+ }
+ } else {
+ vput(vp);
+ }
+ goto out;
+ }
#endif /* NVERIEXEC > 0 */
if (fmode & O_CREAT) {
