From f5baf8d66b0129e0c552d541f60612c137bd658a Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Tue, 3 Jul 2007 17:46:37 +0000
Subject: [PATCH] Lock Giant and proctree lock around dereferencing
 p_session->s_ttyvp->v_rdev. Lock cdev mutex too to close the race with tty
 being freed. Relock clone_drain_lock to prevent the LOR with proctree lock,
 thus add #include <fs/devfs/devfs_int.h>.

Suggested by:	tegge
Debugging help and testing by:	Peter Holm
Approved by:	re (kensmith)
---
 sys/kern/tty_tty.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/sys/kern/tty_tty.c b/sys/kern/tty_tty.c
index 8a0418562be7..0b10f83a3f49 100644
--- a/sys/kern/tty_tty.c
+++ b/sys/kern/tty_tty.c
@@ -31,8 +31,12 @@ __FBSDID("$FreeBSD$");
 #include <sys/conf.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/sx.h>
 #include <sys/vnode.h>
 
+#include <fs/devfs/devfs.h>
+#include <fs/devfs/devfs_int.h>
+
 static	d_open_t	cttyopen;
 
 static struct cdevsw ctty_cdevsw = {
@@ -60,6 +64,11 @@ ctty_clone(void *arg, struct ucred *cred, char *name, int namelen,
 		return;
 	if (strcmp(name, "tty"))
 		return;
+	sx_sunlock(&clone_drain_lock);
+	mtx_lock(&Giant);
+	sx_slock(&proctree_lock);
+	sx_slock(&clone_drain_lock);
+	dev_lock();
 	if (!(curthread->td_proc->p_flag & P_CONTROLT))
 		*dev = ctty;
 	else if (curthread->td_proc->p_session->s_ttyvp == NULL)
@@ -70,7 +79,10 @@ ctty_clone(void *arg, struct ucred *cred, char *name, int namelen,
 		*dev = ctty;
 	} else
 		*dev = curthread->td_proc->p_session->s_ttyvp->v_rdev;
-	dev_ref(*dev);
+	dev_refl(*dev);
+	dev_unlock();
+	sx_sunlock(&proctree_lock);
+	mtx_unlock(&Giant);
 }
 
 static void