Path: blob/main/website/static/security/patches/EN-07:01/nfs60.patch
18096 views
Index: sys/nfsserver/nfs_serv.c1===================================================================2RCS file: /home/ncvs/src/sys/nfsserver/nfs_serv.c,v3retrieving revision 1.1564diff -u -r1.156 nfs_serv.c5--- sys/nfsserver/nfs_serv.c 17 Apr 2005 16:25:36 -0000 1.1566+++ sys/nfsserver/nfs_serv.c 13 Feb 2007 20:43:09 -00007@@ -569,6 +569,10 @@89error = lookup(&ind);10ind.ni_dvp = NULL;11+ if (ind.ni_cnd.cn_flags & GIANTHELD) {12+ mtx_unlock(&Giant);13+ ind.ni_cnd.cn_flags &= ~GIANTHELD;14+ }1516if (error == 0) {17/*18@@ -599,15 +603,9 @@19}20}2122- if (dirp) {23- vrele(dirp);24- dirp = NULL;25- }26-27/*28* Resources at this point:29* ndp->ni_vp may not be NULL30- *31*/3233if (error) {34@@ -621,15 +619,6 @@35}3637/*38- * Clear out some resources prior to potentially blocking. This39- * is not as critical as ni_dvp resources in other routines, but40- * it helps.41- */42- vrele(ndp->ni_startdir);43- ndp->ni_startdir = NULL;44- NDFREE(&nd, NDF_ONLY_PNBUF);45-46- /*47* Get underlying attribute, then release remaining resources ( for48* the same potential blocking reason ) and reply.49*/50@@ -641,8 +630,12 @@51error = VOP_GETATTR(vp, vap, cred, td);5253vput(vp);54- mtx_unlock(&Giant); /* VFS */55+ vrele(ndp->ni_startdir);56+ vrele(dirp);57ndp->ni_vp = NULL;58+ ndp->ni_startdir = NULL;59+ dirp = NULL;60+ mtx_unlock(&Giant); /* VFS */61NFSD_LOCK();62nfsm_reply(NFSX_SRVFH(v3) + NFSX_POSTOPORFATTR(v3) + NFSX_POSTOPATTR(v3));63if (error) {64@@ -662,17 +655,19 @@6566nfsmout:67NFSD_LOCK_ASSERT();68- NFSD_UNLOCK();69- mtx_lock(&Giant); /* VFS */70- if (dirp)71- vrele(dirp);72+ if (ndp->ni_vp || dirp || ndp->ni_startdir) {73+ NFSD_UNLOCK();74+ mtx_lock(&Giant); /* VFS */75+ if (ndp->ni_vp)76+ vput(ndp->ni_vp);77+ if (dirp)78+ vrele(dirp);79+ if (ndp->ni_startdir)80+ vrele(ndp->ni_startdir);81+ mtx_unlock(&Giant); /* VFS */82+ NFSD_LOCK();83+ }84NDFREE(&nd, NDF_ONLY_PNBUF);85- if (ndp->ni_startdir)86- vrele(ndp->ni_startdir);87- if (ndp->ni_vp)88- vput(ndp->ni_vp);89- mtx_unlock(&Giant); /* VFS */90- NFSD_LOCK();91return (error);92}9394@@ -1924,6 +1919,10 @@9596error = lookup(&nd);97nd.ni_dvp = NULL;98+ if (nd.ni_cnd.cn_flags & GIANTHELD) {99+ mtx_unlock(&Giant);100+ nd.ni_cnd.cn_flags &= ~GIANTHELD;101+ }102if (error)103goto ereply;104105@@ -2004,13 +2003,6 @@106NFSD_LOCK_ASSERT();107NFSD_UNLOCK();108mtx_lock(&Giant); /* VFS */109- if (nd.ni_startdir) {110- vrele(nd.ni_startdir);111- nd.ni_startdir = NULL;112- }113- if (dirp)114- vrele(dirp);115- NDFREE(&nd, NDF_ONLY_PNBUF);116if (nd.ni_dvp) {117if (nd.ni_dvp == nd.ni_vp)118vrele(nd.ni_dvp);119@@ -2019,6 +2011,13 @@120}121if (nd.ni_vp)122vput(nd.ni_vp);123+ if (nd.ni_startdir) {124+ vrele(nd.ni_startdir);125+ nd.ni_startdir = NULL;126+ }127+ if (dirp)128+ vrele(dirp);129+ NDFREE(&nd, NDF_ONLY_PNBUF);130vn_finished_write(mp);131mtx_unlock(&Giant); /* VFS */132NFSD_LOCK();133@@ -2092,6 +2091,8 @@134tl = nfsm_dissect_nonblock(u_int32_t *, NFSX_UNSIGNED);135vtyp = nfsv3tov_type(*tl);136if (vtyp != VCHR && vtyp != VBLK && vtyp != VSOCK && vtyp != VFIFO) {137+ NFSD_UNLOCK();138+ mtx_lock(&Giant); /* VFS */139error = NFSERR_BADTYPE;140goto out;141}142@@ -2108,6 +2109,8 @@143* Iff doesn't exist, create it.144*/145if (nd.ni_vp) {146+ NFSD_UNLOCK();147+ mtx_lock(&Giant); /* VFS */148error = EEXIST;149goto out;150}151@@ -2146,6 +2149,10 @@152153error = lookup(&nd);154nd.ni_dvp = NULL;155+ if (nd.ni_cnd.cn_flags & GIANTHELD) {156+ mtx_unlock(&Giant);157+ nd.ni_cnd.cn_flags &= ~GIANTHELD;158+ }159160if (error)161goto out;162@@ -2158,18 +2165,6 @@163*/164out:165NFSD_UNLOCK_ASSERT();166- if (nd.ni_startdir) {167- vrele(nd.ni_startdir);168- nd.ni_startdir = NULL;169- }170- NDFREE(&nd, NDF_ONLY_PNBUF);171- if (nd.ni_dvp) {172- if (nd.ni_dvp == nd.ni_vp)173- vrele(nd.ni_dvp);174- else175- vput(nd.ni_dvp);176- nd.ni_dvp = NULL;177- }178vp = nd.ni_vp;179if (!error) {180bzero((caddr_t)fhp, sizeof(nfh));181@@ -2178,11 +2173,23 @@182if (!error)183error = VOP_GETATTR(vp, vap, cred, td);184}185+ if (nd.ni_dvp) {186+ if (nd.ni_dvp == nd.ni_vp)187+ vrele(nd.ni_dvp);188+ else189+ vput(nd.ni_dvp);190+ nd.ni_dvp = NULL;191+ }192if (vp) {193vput(vp);194vp = NULL;195nd.ni_vp = NULL;196}197+ if (nd.ni_startdir) {198+ vrele(nd.ni_startdir);199+ nd.ni_startdir = NULL;200+ }201+ NDFREE(&nd, NDF_ONLY_PNBUF);202if (dirp) {203vn_lock(dirp, LK_EXCLUSIVE | LK_RETRY, td);204diraft_ret = VOP_GETATTR(dirp, &diraft, cred, td);205@@ -2210,11 +2217,6 @@206NFSD_LOCK_ASSERT();207NFSD_UNLOCK();208mtx_lock(&Giant); /* VFS */209- if (dirp)210- vrele(dirp);211- if (nd.ni_startdir)212- vrele(nd.ni_startdir);213- NDFREE(&nd, NDF_ONLY_PNBUF);214if (nd.ni_dvp) {215if (nd.ni_dvp == nd.ni_vp)216vrele(nd.ni_dvp);217@@ -2223,6 +2225,11 @@218}219if (nd.ni_vp)220vput(nd.ni_vp);221+ if (dirp)222+ vrele(dirp);223+ if (nd.ni_startdir)224+ vrele(nd.ni_startdir);225+ NDFREE(&nd, NDF_ONLY_PNBUF);226vn_finished_write(mp);227mtx_unlock(&Giant); /* VFS */228NFSD_LOCK();229@@ -2519,8 +2526,8 @@230tond.ni_dvp = NULL;231tond.ni_vp = NULL;232if (error) {233- fromnd.ni_cnd.cn_flags &= ~HASBUF;234- tond.ni_cnd.cn_flags &= ~HASBUF;235+ NDFREE(&fromnd, NDF_ONLY_PNBUF);236+ NDFREE(&tond, NDF_ONLY_PNBUF);237}238} else {239if (error == -1)240@@ -2573,11 +2580,6 @@241NFSD_LOCK_ASSERT();242NFSD_UNLOCK();243mtx_lock(&Giant); /* VFS */244- if (tdirp)245- vrele(tdirp);246- if (tond.ni_startdir)247- vrele(tond.ni_startdir);248- NDFREE(&tond, NDF_ONLY_PNBUF);249if (tond.ni_dvp) {250if (tond.ni_dvp == tond.ni_vp)251vrele(tond.ni_dvp);252@@ -2586,7 +2588,11 @@253}254if (tond.ni_vp)255vput(tond.ni_vp);256-257+ if (tdirp)258+ vrele(tdirp);259+ if (tond.ni_startdir)260+ vrele(tond.ni_startdir);261+ NDFREE(&tond, NDF_ONLY_PNBUF);262/*263* Clear out fromnd related fields264*/265@@ -2747,8 +2753,6 @@266NFSD_UNLOCK();267mtx_lock(&Giant); /* VFS */268NDFREE(&nd, NDF_ONLY_PNBUF);269- if (dirp)270- vrele(dirp);271if (vp)272vput(vp);273if (nd.ni_dvp) {274@@ -2757,6 +2761,8 @@275else276vput(nd.ni_dvp);277}278+ if (dirp)279+ vrele(dirp);280if (nd.ni_vp)281vrele(nd.ni_vp);282vn_finished_write(mp);283@@ -2815,6 +2821,12 @@284nd.ni_cnd.cn_flags = LOCKPARENT | SAVESTART;285error = nfs_namei(&nd, fhp, len, slp, nam, &md, &dpos,286&dirp, v3, &dirfor, &dirfor_ret, td, FALSE);287+ if (error == 0) {288+ VATTR_NULL(vap);289+ if (v3)290+ nfsm_srvsattr(vap);291+ nfsm_srvpathsiz(len2);292+ }293NFSD_UNLOCK();294mtx_lock(&Giant); /* VFS */295if (dirp && !v3) {296@@ -2824,10 +2836,6 @@297if (error)298goto out;299300- VATTR_NULL(vap);301- if (v3)302- nfsm_srvsattr(vap);303- nfsm_srvpathsiz(len2);304MALLOC(pathcp, caddr_t, len2 + 1, M_TEMP, M_WAITOK);305iv.iov_base = pathcp;306iv.iov_len = len2;307@@ -2884,6 +2892,10 @@308309error = lookup(&nd);310nd.ni_dvp = NULL;311+ if (nd.ni_cnd.cn_flags & GIANTHELD) {312+ mtx_unlock(&Giant);313+ nd.ni_cnd.cn_flags &= ~GIANTHELD;314+ }315316if (error == 0) {317bzero((caddr_t)fhp, sizeof(nfh));318@@ -3113,8 +3125,6 @@319NFSD_LOCK_ASSERT();320NFSD_UNLOCK();321mtx_lock(&Giant); /* VFS */322- if (dirp)323- vrele(dirp);324if (nd.ni_dvp) {325NDFREE(&nd, NDF_ONLY_PNBUF);326if (nd.ni_dvp == nd.ni_vp && vpexcl)327@@ -3128,6 +3138,8 @@328else329vrele(nd.ni_vp);330}331+ if (dirp)332+ vrele(dirp);333vn_finished_write(mp);334mtx_unlock(&Giant); /* VFS */335NFSD_LOCK();336@@ -3255,8 +3267,6 @@337NFSD_UNLOCK();338mtx_lock(&Giant); /* VFS */339NDFREE(&nd, NDF_ONLY_PNBUF);340- if (dirp)341- vrele(dirp);342if (nd.ni_dvp) {343if (nd.ni_dvp == nd.ni_vp)344vrele(nd.ni_dvp);345@@ -3265,6 +3275,8 @@346}347if (nd.ni_vp)348vput(nd.ni_vp);349+ if (dirp)350+ vrele(dirp);351352vn_finished_write(mp);353mtx_unlock(&Giant); /* VFS */354Index: sys/nfsserver/nfs_srvsubs.c355===================================================================356RCS file: /home/ncvs/src/sys/nfsserver/nfs_srvsubs.c,v357retrieving revision 1.136358diff -u -r1.136 nfs_srvsubs.c359--- sys/nfsserver/nfs_srvsubs.c 28 Mar 2005 18:51:58 -0000 1.136360+++ sys/nfsserver/nfs_srvsubs.c 13 Feb 2007 20:43:09 -0000361@@ -875,6 +875,10 @@362}363if (!lockleaf)364cnp->cn_flags &= ~LOCKLEAF;365+ if (cnp->cn_flags & GIANTHELD) {366+ mtx_unlock(&Giant);367+ cnp->cn_flags &= ~GIANTHELD;368+ }369370/*371* nfs_namei() guarentees that fields will not contain garbage372@@ -1331,6 +1335,24 @@373return 0;374}375376+int377+nfsm_srvnamesiz0_xx(int *s, int m, struct mbuf **md, caddr_t *dpos)378+{379+ u_int32_t *tl;380+381+ NFSD_LOCK_DONTCARE();382+383+ tl = nfsm_dissect_xx_nonblock(NFSX_UNSIGNED, md, dpos);384+ if (tl == NULL)385+ return EBADRPC;386+ *s = fxdr_unsigned(int32_t, *tl);387+ if (*s > m)388+ return NFSERR_NAMETOL;389+ if (*s < 0)390+ return EBADRPC;391+ return 0;392+}393+394void395nfsm_clget_xx(u_int32_t **tl, struct mbuf *mb, struct mbuf **mp,396char **bp, char **be, caddr_t bpos, int droplock)397Index: sys/nfsserver/nfsm_subs.h398===================================================================399RCS file: /home/ncvs/src/sys/nfsserver/nfsm_subs.h,v400retrieving revision 1.37401diff -u -r1.37 nfsm_subs.h402--- sys/nfsserver/nfsm_subs.h 7 Jan 2005 01:45:51 -0000 1.37403+++ sys/nfsserver/nfsm_subs.h 13 Feb 2007 20:43:09 -0000404@@ -74,6 +74,7 @@405406int nfsm_srvstrsiz_xx(int *s, int m, struct mbuf **md, caddr_t *dpos);407int nfsm_srvnamesiz_xx(int *s, int m, struct mbuf **md, caddr_t *dpos);408+int nfsm_srvnamesiz0_xx(int *s, int m, struct mbuf **md, caddr_t *dpos);409int nfsm_srvmtofh_xx(fhandle_t *f, struct nfsrv_descript *nfsd,410struct mbuf **md, caddr_t *dpos);411int nfsm_srvsattr_xx(struct vattr *a, struct mbuf **md, caddr_t *dpos);412@@ -101,7 +102,7 @@413#define nfsm_srvpathsiz(s) \414do { \415int t1; \416- t1 = nfsm_srvnamesiz_xx(&(s), NFS_MAXPATHLEN, &md, &dpos); \417+ t1 = nfsm_srvnamesiz0_xx(&(s), NFS_MAXPATHLEN, &md, &dpos); \418if (t1) { \419error = t1; \420nfsm_reply(0); \421422423