tty: fix a panic with INVARIANTS

watch'ing a tty triggers a refcount wraparound panic, take a reference
on fp after fget_cap_locked() to fix.

Reported by:    Michael Jung <mikej_at_paymentallianceintl.com>
Reviewed by:	hselasky, mjg
Fixes:          f40dd6c8034b ("tty: switch ttyhook_register to use fget_cap_locked")
Differential Revision:	https://reviews.freebsd.org/D34335

diff --git a/sys/kern/tty.c b/sys/kern/tty.c
index ebb32f698e88ad57b5a084c16a75caeb079597d1..9e6cd8d317cc69fd5efa386034e9ab1e164041e1 100644 (file)
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -2083,6 +2083,8 @@ ttyhook_register(struct tty **rtp, struct proc *p, int fd, struct ttyhook *th,
        FILEDESC_SLOCK(fdp);
        error = fget_cap_locked(fdp, fd, cap_rights_init_one(&rights, CAP_TTYHOOK),
            &fp, NULL);
+       if (error == 0 && !fhold(fp))
+               error = EBADF;
        FILEDESC_SUNLOCK(fdp);
        if (error != 0)
                return (error);