From nobody@FreeBSD.org  Sat Jun 21 20:22:48 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 21596106567B
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 21 Jun 2008 20:22:48 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 18FFA8FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 21 Jun 2008 20:22:48 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m5LKMlXR086250
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 21 Jun 2008 20:22:47 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m5LKMlTN086249;
	Sat, 21 Jun 2008 20:22:47 GMT
	(envelope-from nobody)
Message-Id: <200806212022.m5LKMlTN086249@www.freebsd.org>
Date: Sat, 21 Jun 2008 20:22:47 GMT
From: Mateusz Guzik <mjguzik@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] devfs_ruleset_use may use freed memory, causing panic
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         124853
>Category:       kern
>Synopsis:       [devfs.rules] [patch] devfs_ruleset_use may use freed memory, causing panic
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    jh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 21 20:30:04 UTC 2008
>Closed-Date:    Thu Mar 10 17:06:13 UTC 2011
>Last-Modified:  Thu Mar 10 17:06:13 UTC 2011
>Originator:     Mateusz Guzik
>Release:        8.0-CURRENT
>Organization:
>Environment:
FreeBSD eternal 8.0-CURRENT FreeBSD 8.0-CURRENT #3: Sat Jun 21 21:41:16 CEST 2008     root@eternal:/usr/obj/usr/src/sys/ETERNAL  i386

>Description:
Function devfs_ruleset_use follows the following algorithm:
1. Get ruleset; if it doesn't exists, create it.
2. Decrease reference count of current ruleset of dm. Call devfs_ruleset_reap to free it, if it has no references and no rules.
3. Assign ruleset from 1. to dm, increase its reference count.

Ruleset created by this function has no rules.

When user types e. g. `devfs ruleset 100', this function creates ruleset 100 for him. When he types this command again, ruleset 100 is freed due to zeroed reference count and empty rules list, then it's assigned to dm. This causes panic few minutes later.
>How-To-Repeat:
Run `devfs ruleset' twice with non-existent ruleset number, for example `devfs ruleset 100'. Wait a couple of minutes, kernel will panic saying `Most recently used by DEVFS_RULE'.

>Fix:
Patch is attached.

Patch attached with submission follows:

--- devfs_rule.c.orig	2008-06-21 21:31:48.000000000 +0200
+++ devfs_rule.c	2008-06-21 21:33:49.000000000 +0200
@@ -733,19 +733,20 @@
 static int
 devfs_ruleset_use(devfs_rsnum rsnum, struct devfs_mount *dm)
 {
 	struct devfs_ruleset *cds, *ds;
 
-	ds = devfs_ruleset_bynum(rsnum);
-	if (ds == NULL)
-		ds = devfs_ruleset_create(rsnum);
 	if (dm->dm_ruleset != 0) {
 		cds = devfs_ruleset_bynum(dm->dm_ruleset);
 		--cds->ds_refcount;
 		devfs_ruleset_reap(cds);
 	}
 
+	ds = devfs_ruleset_bynum(rsnum);
+	if (ds == NULL)
+		ds = devfs_ruleset_create(rsnum);
+
 	/* These should probably be made atomic somehow. */
 	++ds->ds_refcount;
 	dm->dm_ruleset = rsnum;
 
 	return (0);


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->gonzo 
Responsible-Changed-By: gonzo 
Responsible-Changed-When: Sat Jun 21 22:23:53 UTC 2008 
Responsible-Changed-Why:  
I'll take care fo it 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124853 
State-Changed-From-To: open->patched 
State-Changed-By: gonzo 
State-Changed-When: Sun Jun 22 14:37:15 UTC 2008 
State-Changed-Why:  
Patch committed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124853 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/124853: commit references a PR
Date: Sun, 22 Jun 2008 14:34:52 +0000 (UTC)

 gonzo       2008-06-22 14:34:38 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/fs/devfs         devfs_rule.c 
   Log:
   SVN rev 179926 on 2008-06-22 14:34:38Z by gonzo
   
   Get pointer to devfs_ruleset struct after garbage collection has been
   performed. Otherwise if ruleset is used by given mountpoint and is empty
   it's freed by devfs_ruleset_reap and pointer becomes bogus.
   
   Submitted by:   Mateusz Guzik <mjguzik@gmail.com>
   PR:             kern/124853
   
   Revision  Changes    Path
   1.25      +3 -3      src/sys/fs/devfs/devfs_rule.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
Responsible-Changed-From-To: gonzo->freebsd-bugs 
Responsible-Changed-By: gonzo 
Responsible-Changed-When: Tue Nov 9 00:48:11 UTC 2010 
Responsible-Changed-Why:  
Back to pool 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124853 
Responsible-Changed-From-To: freebsd-bugs->jh 
Responsible-Changed-By: jh 
Responsible-Changed-When: Mon Feb 21 15:06:34 UTC 2011 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124853 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/124853: commit references a PR
Date: Thu, 10 Mar 2011 16:51:41 +0000 (UTC)

 Author: jh
 Date: Thu Mar 10 16:51:28 2011
 New Revision: 219453
 URL: http://svn.freebsd.org/changeset/base/219453
 
 Log:
   MFC r179926 by gonzo:
   
   Get pointer to devfs_ruleset struct after garbage collection has been
   performed. Otherwise if ruleset is used by given mountpoint and is empty
   it's freed by devfs_ruleset_reap and pointer becomes bogus.
   
   PR:		kern/124853
 
 Modified:
   stable/7/sys/fs/devfs/devfs_rule.c
 Directory Properties:
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/sys/fs/devfs/devfs_rule.c
 ==============================================================================
 --- stable/7/sys/fs/devfs/devfs_rule.c	Thu Mar 10 16:40:13 2011	(r219452)
 +++ stable/7/sys/fs/devfs/devfs_rule.c	Thu Mar 10 16:51:28 2011	(r219453)
 @@ -735,15 +735,15 @@ devfs_ruleset_use(devfs_rsnum rsnum, str
  {
  	struct devfs_ruleset *cds, *ds;
  
 -	ds = devfs_ruleset_bynum(rsnum);
 -	if (ds == NULL)
 -		ds = devfs_ruleset_create(rsnum);
  	if (dm->dm_ruleset != 0) {
  		cds = devfs_ruleset_bynum(dm->dm_ruleset);
  		--cds->ds_refcount;
  		devfs_ruleset_reap(cds);
  	}
  
 +	ds = devfs_ruleset_bynum(rsnum);
 +	if (ds == NULL)
 +		ds = devfs_ruleset_create(rsnum);
  	/* These should probably be made atomic somehow. */
  	++ds->ds_refcount;
  	dm->dm_ruleset = rsnum;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: jh 
State-Changed-When: Thu Mar 10 17:06:12 UTC 2011 
State-Changed-Why:  
Fixed in supported branches. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124853 
>Unformatted:
