diff options
| author | Matthew Dempsky <matthew@cvs.openbsd.org> | 2011-06-01 17:57:52 +0000 |
|---|---|---|
| committer | Matthew Dempsky <matthew@cvs.openbsd.org> | 2011-06-01 17:57:52 +0000 |
| commit | 3e37593660205ab33991278fa74beb0bcb474d68 (patch) | |
| tree | 651ae1d80f824b85934ba8f0da10e58bd0561975 /sys | |
| parent | 913a7a020c66ad751249a00866840c30e92c1ad4 (diff) | |
Add device_ref/device_unref calls to prevent a possible use-after-free
issue in disk_attach_callback. Assumes that the struct disk is part
of the driver's softc, but this is always true in practice.
Still other scary use-after-free races lying around here though...
ok jsing@, deraadt@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/kern/subr_disk.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/sys/kern/subr_disk.c b/sys/kern/subr_disk.c index 9f08e28cf87..1e063759210 100644 --- a/sys/kern/subr_disk.c +++ b/sys/kern/subr_disk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: subr_disk.c,v 1.121 2011/04/28 17:50:17 marco Exp $ */ +/* $OpenBSD: subr_disk.c,v 1.122 2011/06/01 17:57:51 matthew Exp $ */ /* $NetBSD: subr_disk.c,v 1.17 1996/03/16 23:17:08 christos Exp $ */ /* @@ -862,9 +862,14 @@ disk_attach_callback(void *arg1, void *arg2) if (dk == NULL || (dk->dk_flags & (DKF_OPENED | DKF_NOLABELREAD))) return; + /* XXX: Assumes dk is part of the device softc. */ + device_ref(dk->dk_device); + /* Read disklabel. */ disk_readlabel(&dl, dev, errbuf, sizeof(errbuf)); dk->dk_flags |= DKF_OPENED; + + device_unref(dk->dk_device); } /* |