From 706f80801d4debfdb75220308d03812afeb890ea Mon Sep 17 00:00:00 2001 From: Konstantin Belousov Date: Mon, 14 Jul 2014 08:45:29 +0000 Subject: [PATCH] The tmpfs_link() must not dereference the filesystem-specific data for a vnode until it is verified that the vnode indeed belongs to tmpfs mount. Otherwise, it might access random memory, at least in the debug kernel. Reported and tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 2 weeks --- sys/fs/tmpfs/tmpfs_vnops.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/fs/tmpfs/tmpfs_vnops.c b/sys/fs/tmpfs/tmpfs_vnops.c index ea27fca6949..3586a288596 100644 --- a/sys/fs/tmpfs/tmpfs_vnops.c +++ b/sys/fs/tmpfs/tmpfs_vnops.c @@ -570,8 +570,6 @@ tmpfs_link(struct vop_link_args *v) MPASS(cnp->cn_flags & HASBUF); MPASS(dvp != vp); /* XXX When can this be false? */ - node = VP_TO_TMPFS_NODE(vp); - /* XXX: Why aren't the following two tests done by the caller? */ /* Hard links of directories are forbidden. */ @@ -586,6 +584,8 @@ tmpfs_link(struct vop_link_args *v) goto out; } + node = VP_TO_TMPFS_NODE(vp); + /* Ensure that we do not overflow the maximum number of links imposed * by the system. */ MPASS(node->tn_links <= LINK_MAX);