Revision 68e23840d424b9ee403f09dcbdc106327d385ece authored by Konstantin Belousov on 23 January 2010, 19:01:25 UTC, committed by Konstantin Belousov on 23 January 2010, 19:01:25 UTC
The quotactl, statfs and fstatfs syscall implementations may dereference NULL pointer to struct mount if the looked up vnode is reclaimed. Also, these syscalls only mnt_ref() the mp, still allowing it to be unmounted; only struct mount memory is kept from being reused. Lock the vnode when doing name lookup, then reference its mount point, unlock the vnode and vfs_busy the mountpoint. This sequence shall take care of both races. MFC r188141 (by trasz): In some situations, mnt_lockref could go negative due to vfs_unbusy() being called without calling vfs_busy() first. This made umount(8) hang waiting for mnt_lockref to become zero, which would never happen. MFC r196887: In fhopen, vfs_ref() the mount point while vnode is unlocked, to prevent vn_start_write(NULL, &mp) from operating on potentially freed or reused struct mount *. Remove unmatched vfs_rel() in cleanup. Approved by: re (bz)
1 parent d902a89
| File | Mode | Size |
|---|---|---|
| Makefile | -rw-r--r-- | 980 bytes |
| advcap.c | -rw-r--r-- | 9.4 KB |
| advcap.h | -rw-r--r-- | 1.8 KB |
| config.c | -rw-r--r-- | 29.1 KB |
| config.h | -rw-r--r-- | 2.1 KB |
| dump.c | -rw-r--r-- | 6.9 KB |
| dump.h | -rw-r--r-- | 1.6 KB |
| if.c | -rw-r--r-- | 12.9 KB |
| if.h | -rw-r--r-- | 2.5 KB |
| pathnames.h | -rw-r--r-- | 126 bytes |
| rrenum.c | -rw-r--r-- | 13.8 KB |
| rrenum.h | -rw-r--r-- | 1.7 KB |
| rtadvd.8 | -rw-r--r-- | 6.1 KB |
| rtadvd.c | -rw-r--r-- | 42.8 KB |
| rtadvd.conf | -rw-r--r-- | 903 bytes |
| rtadvd.conf.5 | -rw-r--r-- | 12.2 KB |
| rtadvd.h | -rw-r--r-- | 5.4 KB |
| timer.c | -rw-r--r-- | 5.3 KB |
| timer.h | -rw-r--r-- | 2.8 KB |
Computing file changes ...
