git.proxmox.com Git - mirror_zfs.git/commit

author	Richard Yao <richard.yao@clusterhq.com>
	Thu, 16 Apr 2015 13:20:02 +0000 (09:20 -0400)
committer	Brian Behlendorf <behlendorf1@llnl.gov>
	Tue, 23 Jun 2015 00:02:13 +0000 (17:02 -0700)
commit	72540ea3148a2bc03860d7d59b2b5fdc9a5cdee7
tree	93052ce65b3fc8acccc367ecdf7f6744d602113f	tree
parent	99b14de42104021f6b7d88118db010d8246bc0c0	commit \| diff

zfsdev_getminor() should check for invalid file handles

Unit testing at ClusterHQ found that passing an invalid file handle to
zfs_ioc_hold results in a NULL pointer dereference on a system without
assertions:

IP: [<ffffffffa0218aa0>] zfsdev_getminor+0x10/0x20 [zfs]
Call Trace:
[<ffffffffa021b4b0>] zfs_onexit_fd_hold+0x20/0x40 [zfs]
[<ffffffffa0214043>] zfs_ioc_hold+0x93/0xd0 [zfs]
[<ffffffffa0215890>] zfsdev_ioctl+0x200/0x500 [zfs]

An assertion would have caught this had they been enabled, but this is
something that the kernel module should handle without failing. We
resolve this by searching the linked list to ensure that the file
handle's private_data points to a valid zfsdev_state_t.

Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Andriy Gapon <avg@FreeBSD.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3506

include/sys/zfs_ioctl.h		diff \| blob \| blame \| history
module/zfs/fm.c		diff \| blob \| blame \| history
module/zfs/zfs_ioctl.c		diff \| blob \| blame \| history
module/zfs/zfs_onexit.c		diff \| blob \| blame \| history