Module Name: src
Committed By: hannken
Date: Sun Jan 28 10:02:01 UTC 2018
Modified Files:
src/sys/ufs/ffs: ffs_vfsops.c
Log Message:
Prevent use-after-free where genfs_node_destroy() would destroy
a lock residing in the just freed inode data.
To generate a diff of this commit:
cvs rdiff -u -r1.355 -r1.356 src/sys/ufs/ffs/ffs_vfsops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/ufs/ffs/ffs_vfsops.c
diff -u src/sys/ufs/ffs/ffs_vfsops.c:1.355 src/sys/ufs/ffs/ffs_vfsops.c:1.356
--- src/sys/ufs/ffs/ffs_vfsops.c:1.355 Wed Nov 15 21:21:18 2017
+++ src/sys/ufs/ffs/ffs_vfsops.c Sun Jan 28 10:02:00 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ffs_vfsops.c,v 1.355 2017/11/15 21:21:18 christos Exp $ */
+/* $NetBSD: ffs_vfsops.c,v 1.356 2018/01/28 10:02:00 hannken Exp $ */
/*-
* Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ffs_vfsops.c,v 1.355 2017/11/15 21:21:18 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ffs_vfsops.c,v 1.356 2018/01/28 10:02:00 hannken Exp $");
#if defined(_KERNEL_OPT)
#include "opt_ffs.h"
@@ -2024,14 +2024,14 @@ ffs_deinit_vnode(struct ufsmount *ump, s
{
struct inode *ip = VTOI(vp);
+ genfs_node_destroy(vp);
+ vp->v_data = NULL;
+
if (ump->um_fstype == UFS1)
pool_cache_put(ffs_dinode1_cache, ip->i_din.ffs1_din);
else
pool_cache_put(ffs_dinode2_cache, ip->i_din.ffs2_din);
pool_cache_put(ffs_inode_cache, ip);
-
- genfs_node_destroy(vp);
- vp->v_data = NULL;
}
/*
