Do not assume that a pointer to another process will live over a set of

sleeping calls.  Since we are simply operating on another process'
vmspace, grab a (refcounted) copy of that pointer and use that instead.
Similar to the bug just fixed in sysctl_proc_args.
discussed with art

1 files changed, 9 insertions, 4 deletions

diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index d972df7a2c7..cd58c064ddf 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sys_process.c,v 1.42 2008/10/31 17:17:07 deraadt Exp $	*/
+/*	$OpenBSD: sys_process.c,v 1.43 2008/10/31 17:29:51 deraadt Exp $	*/
 /*	$NetBSD: sys_process.c,v 1.55 1996/05/15 06:17:47 tls Exp $	*/
 
 /*-
@@ -589,6 +589,7 @@ process_checkioperm(struct proc *p, struct proc *t)
 int
 process_domem(struct proc *curp, struct proc *p, struct uio *uio, int req)
 {
+	struct vmspace *vm;
 	int error;
 	vaddr_t addr;
 	vsize_t len;
@@ -604,10 +605,14 @@ process_domem(struct proc *curp, struct proc *p, struct uio *uio, int req)
 	if ((p->p_flag & P_WEXIT) || (p->p_vmspace->vm_refcnt < 1)) 
 		return(EFAULT);
 	addr = uio->uio_offset;
-	p->p_vmspace->vm_refcnt++;  /* XXX */
-	error = uvm_io(&p->p_vmspace->vm_map, uio,
+
+	vm = p->p_vmspace;
+	vm->vm_refcnt++;
+
+	error = uvm_io(&vm->vm_map, uio,
 	    (req == PT_WRITE_I) ? UVM_IO_FIXPROT : 0);
-	uvmspace_free(p->p_vmspace);
+
+	uvmspace_free(vm);
 
 	if (error == 0 && req == PT_WRITE_I)
 		pmap_proc_iflush(p, addr, len);