Hi,
file pointer may be incompletely initialized after falloc(). For example,
sys_socket() initializes 'f_flag', 'f_type', and 'f_ops' but may sleep
then in socreate() before assigning 'f_data'.
That is why there is the FIF_LARVAL flag, that is check by the macro
FILE_IS_USABLE(). Of the three different operations sysctl_file()
implements, two of them (namely KERN_FILE_BYPID and KERN_FILE_BYUID)
use the FILE_IS_USABLE() to keep hand off incomplete file pointers.
Yet the third operation (KERN_FILE_BYFILE) doesn't. That can yield
a fault when dereferencing fp->f_data.
The fix is rather straightforward.
Gerhard
Index: sys/kern/kern_sysctl.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.328
diff -u -p -u -p -r1.328 kern_sysctl.c
--- sys/kern/kern_sysctl.c 14 Jun 2017 03:00:40 -0000 1.328
+++ sys/kern/kern_sysctl.c 20 Jun 2017 11:31:40 -0000
@@ -1327,6 +1327,7 @@ sysctl_file(int *name, u_int namelen, ch
FREF(fp);
do {
if (fp->f_count > 1 && /* 0, +1 for our FREF() */
+ FILE_IS_USABLE(fp) &&
(arg == 0 || fp->f_type == arg)) {
int af, skip = 0;
if (arg == DTYPE_SOCKET && fp->f_type == arg) {
