Subject: RFC small patch for vfs_subr.c:vfs_mountedon()
To: None <tech-kern@netbsd.org>
From: Reinoud Zandijk <reinoud@netbsd.org>
List: tech-kern
Date: 01/18/2006 03:36:03
--9jxsPFA5p3P2qPhR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Dear folks,

after bughunting for a while, i stumbled on a for me unknown feature that 
vfs_mountedon() can only and only handle special device nodes and will 
otherwise generate an UVM trap or will access random memory. This is due to 
the dereference of vp->v_specmountpoint that is really 
vp->v_specinfo->si_mountpoint. The field v_specinfo is multiplexed with 
other fields in struct vnode like struct socket.

Before i looked at the implementation of vfs_mountedon() i thought it was 
using the circleq of mountpoints to check... but no, it uses a specfs 
specific structure.

Just as a sanity check for accessing the specinfo i'd like to add the 
simple patch:

Index: vfs_subr.c
===================================================================
RCS file: /cvsroot/src/sys/kern/vfs_subr.c,v
retrieving revision 1.259
diff -u -p -r1.259 vfs_subr.c
--- vfs_subr.c  31 Dec 2005 14:05:01 -0000      1.259
+++ vfs_subr.c  18 Jan 2006 02:18:25 -0000
@@ -2065,6 +2065,8 @@ vfs_mountedon(struct vnode *vp)
        struct vnode *vq;
        int error = 0;
 
+       if (vp->v_type != VBLK && vp->v_type != VCHR)
+               return (ENXIO);
        if (vp->v_specmountpoint != NULL)
                return (EBUSY);
        if (vp->v_flag & VALIASED) {
---------------

All miscfs's don't use the function other than specfs itself to check for 
double mounts and tmpfs/nfs and friends don't have a device to mount so 
they don't call it.

Thoughts?

Reinoud
p.s. patch not tested yet

--9jxsPFA5p3P2qPhR
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iQEVAwUBQ82phYKcNwBDyKpoAQIFOAgAovEXwqA7RqKTrRA9lzd2+x0VGH5p+CG8
YEl8eDXFWH/MFwvL/jRXvqvwU2FIqDU2Z9syjloElF4hpwdRnb+xmk5Tk5TvK1fn
SF466IO2btFznU1HGLTgso5kadOWpvIzizKGSZPWr7TiaNB5GzetpwQrbU2TdUqA
l05ska1Z3to/hd3oT6VokKRHX0J+d7R/AU7p0flqy1pm8s79Gsj4lep05ShLWeSa
85tgxkH1lGwGK9U1xU3XG9B3PWamf+cSuL3M2dBkCsTenaxL4anLsr0OCJT/tuyM
eBIr6g1Xr7oLhohqKR+dV/1VG6IUFCs4t1O6xYOF7BAYje2+Cyy9vg==
=XehN
-----END PGP SIGNATURE-----

--9jxsPFA5p3P2qPhR--