devfs: fix a vnode use-after-free in devfs_ioctl

The vnode to be replaced was read with a shared lock, meaning 2 racing threads
can find the same one.

While here clean it up a little bit.

1 files changed, 9 insertions, 8 deletions

diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c
index e7e524d2f0b9..c21c1128543e 100644
--- a/sys/fs/devfs/devfs_vnops.c
+++ b/sys/fs/devfs/devfs_vnops.c
@@ -787,6 +787,7 @@ devfs_ioctl(struct vop_ioctl_args *ap)
 	struct vnode *vpold, *vp;
 	struct cdevsw *dsw;
 	struct thread *td;
+	struct session *sess;
 	struct cdev *dev;
 	int error, ref, i;
 	const char *p;
@@ -836,18 +837,18 @@ devfs_ioctl(struct vop_ioctl_args *ap)
 		 * nothing left to do.
 		 */
 		sx_slock(&proctree_lock);
-		if (td->td_proc->p_session->s_ttyvp == vp ||
-		    td->td_proc->p_session->s_ttyp == NULL) {
+		sess = td->td_proc->p_session;
+		if (sess->s_ttyvp == vp || sess->s_ttyp == NULL) {
 			sx_sunlock(&proctree_lock);
 			return (0);
 		}
 
-		vpold = td->td_proc->p_session->s_ttyvp;
-		VREF(vp);
-		SESS_LOCK(td->td_proc->p_session);
-		td->td_proc->p_session->s_ttyvp = vp;
-		td->td_proc->p_session->s_ttydp = cdev2priv(dev);
-		SESS_UNLOCK(td->td_proc->p_session);
+		vrefact(vp);
+		SESS_LOCK(sess);
+		vpold = sess->s_ttyvp;
+		sess->s_ttyvp = vp;
+		sess->s_ttydp = cdev2priv(dev);
+		SESS_UNLOCK(sess);
 
 		sx_sunlock(&proctree_lock);