diff options
| author | anton <anton@cvs.openbsd.org> | 2019-05-21 20:57:11 +0000 |
|---|---|---|
| committer | anton <anton@cvs.openbsd.org> | 2019-05-21 20:57:11 +0000 |
| commit | 2bdaaa2dc8fdb050bb8f43706af7e4335e5c4800 (patch) | |
| tree | 69ea9ec27b013d24d788d64fed1f7fe3f2a0b7a7 /sys/dev | |
| parent | 7dac9df47f7f2951a2dcd471bc8643663e09a140 (diff) | |
A problem fixed in wskbd is also present in wsmux. Repeating the
previous commit message:
In wsmuxclose(), use the same logic as in wsmuxopen() to determine if
the device was opened in write-only mode. Relying on me_evar being NULL
does not work if the wsmux device was opened first followed attaching it
to another wsmux. Closing the wsmux device first at this stage would
cause the wscons_event queue inherited from the parent wsmux to be
freed. This in turn could cause a panic if an ioctl(WSMUXIO_INJECTEVENT)
command is issued on parent wsmux device.
ok mpi@ visa@
Reported-by: syzbot+f6c2ed7901eb4b970720@syzkaller.appspotmail.com
Diffstat (limited to 'sys/dev')
| -rw-r--r-- | sys/dev/wscons/wsmux.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/dev/wscons/wsmux.c b/sys/dev/wscons/wsmux.c index ebdd09a018f..28f6815d91f 100644 --- a/sys/dev/wscons/wsmux.c +++ b/sys/dev/wscons/wsmux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: wsmux.c,v 1.45 2019/03/30 08:04:35 anton Exp $ */ +/* $OpenBSD: wsmux.c,v 1.46 2019/05/21 20:57:10 anton Exp $ */ /* $NetBSD: wsmux.c,v 1.37 2005/04/30 03:47:12 augustss Exp $ */ /* @@ -290,7 +290,7 @@ wsmuxclose(dev_t dev, int flags, int mode, struct proc *p) (struct wsmux_softc *)wsmuxdevs[minor(dev)]; struct wseventvar *evar = sc->sc_base.me_evp; - if (evar == NULL) + if ((flags & (FREAD | FWRITE)) == FWRITE) /* Not open for read */ return (0); |