Revision 68e23840d424b9ee403f09dcbdc106327d385ece authored by Konstantin Belousov on 23 January 2010, 19:01:25 UTC, committed by Konstantin Belousov on 23 January 2010, 19:01:25 UTC
The quotactl, statfs and fstatfs syscall implementations may dereference NULL pointer to struct mount if the looked up vnode is reclaimed. Also, these syscalls only mnt_ref() the mp, still allowing it to be unmounted; only struct mount memory is kept from being reused. Lock the vnode when doing name lookup, then reference its mount point, unlock the vnode and vfs_busy the mountpoint. This sequence shall take care of both races. MFC r188141 (by trasz): In some situations, mnt_lockref could go negative due to vfs_unbusy() being called without calling vfs_busy() first. This made umount(8) hang waiting for mnt_lockref to become zero, which would never happen. MFC r196887: In fhopen, vfs_ref() the mount point while vnode is unlocked, to prevent vn_start_write(NULL, &mp) from operating on potentially freed or reused struct mount *. Remove unmatched vfs_rel() in cleanup. Approved by: re (bz)
1 parent d902a89
File | Mode | Size |
---|---|---|
dest6.c | -rw-r--r-- | 3.6 KB |
frag6.c | -rw-r--r-- | 19.4 KB |
icmp6.c | -rw-r--r-- | 71.5 KB |
icmp6.h | -rw-r--r-- | 138 bytes |
in6.c | -rw-r--r-- | 63.2 KB |
in6.h | -rw-r--r-- | 24.7 KB |
in6_cksum.c | -rw-r--r-- | 8.4 KB |
in6_gif.c | -rw-r--r-- | 11.2 KB |
in6_gif.h | -rw-r--r-- | 2.0 KB |
in6_ifattach.c | -rw-r--r-- | 23.8 KB |
in6_ifattach.h | -rw-r--r-- | 2.1 KB |
in6_pcb.c | -rw-r--r-- | 25.5 KB |
in6_pcb.h | -rw-r--r-- | 5.0 KB |
in6_proto.c | -rw-r--r-- | 17.9 KB |
in6_rmx.c | -rw-r--r-- | 13.9 KB |
in6_src.c | -rw-r--r-- | 30.9 KB |
in6_var.h | -rw-r--r-- | 23.2 KB |
ip6.h | -rw-r--r-- | 133 bytes |
ip6_ecn.h | -rw-r--r-- | 1.9 KB |
ip6_forward.c | -rw-r--r-- | 17.2 KB |
ip6_id.c | -rw-r--r-- | 8.3 KB |
ip6_input.c | -rw-r--r-- | 41.1 KB |
ip6_ipsec.c | -rw-r--r-- | 9.6 KB |
ip6_ipsec.h | -rw-r--r-- | 1.9 KB |
ip6_mroute.c | -rw-r--r-- | 47.3 KB |
ip6_mroute.h | -rw-r--r-- | 9.4 KB |
ip6_output.c | -rw-r--r-- | 82.2 KB |
ip6_var.h | -rw-r--r-- | 15.3 KB |
ip6protosw.h | -rw-r--r-- | 5.9 KB |
mld6.c | -rw-r--r-- | 18.1 KB |
mld6_var.h | -rw-r--r-- | 2.1 KB |
nd6.c | -rw-r--r-- | 61.7 KB |
nd6.h | -rw-r--r-- | 14.1 KB |
nd6_nbr.c | -rw-r--r-- | 38.0 KB |
nd6_rtr.c | -rw-r--r-- | 57.8 KB |
pim6.h | -rw-r--r-- | 2.5 KB |
pim6_var.h | -rw-r--r-- | 2.6 KB |
raw_ip6.c | -rw-r--r-- | 20.7 KB |
raw_ip6.h | -rw-r--r-- | 2.2 KB |
route6.c | -rw-r--r-- | 6.6 KB |
scope6.c | -rw-r--r-- | 11.5 KB |
scope6_var.h | -rw-r--r-- | 2.6 KB |
sctp6_usrreq.c | -rw-r--r-- | 34.9 KB |
sctp6_var.h | -rw-r--r-- | 2.3 KB |
tcp6_var.h | -rw-r--r-- | 3.6 KB |
udp6_usrreq.c | -rw-r--r-- | 26.2 KB |
udp6_var.h | -rw-r--r-- | 3.4 KB |
Computing file changes ...