From owner-svn-src-all@freebsd.org Sat Jun 25 09:32:36 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E3028B803B8; Sat, 25 Jun 2016 09:32:36 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AFAC21703; Sat, 25 Jun 2016 09:32:36 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u5P9WZvL060717; Sat, 25 Jun 2016 09:32:35 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u5P9WZ4C060716; Sat, 25 Jun 2016 09:32:35 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201606250932.u5P9WZ4C060716@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Sat, 25 Jun 2016 09:32:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r302192 - stable/10/sys/nlm X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jun 2016 09:32:37 -0000 Author: kib Date: Sat Jun 25 09:32:35 2016 New Revision: 302192 URL: https://svnweb.freebsd.org/changeset/base/302192 Log: MFC r302013: After the vnode unlock, mount point might be destroyed immediately, dropping the reference on mnt_cred. Prevent this by referencing the temporal credentials before unlock. Modified: stable/10/sys/nlm/nlm_advlock.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/nlm/nlm_advlock.c ============================================================================== --- stable/10/sys/nlm/nlm_advlock.c Sat Jun 25 04:36:30 2016 (r302191) +++ stable/10/sys/nlm/nlm_advlock.c Sat Jun 25 09:32:35 2016 (r302192) @@ -210,7 +210,7 @@ nlm_advlock_internal(struct vnode *vp, v struct rpc_callextra ext; struct nlm_feedback_arg nf; AUTH *auth; - struct ucred *cred; + struct ucred *cred, *cred1; struct nlm_file_svid *ns; int svid; int error; @@ -240,15 +240,17 @@ nlm_advlock_internal(struct vnode *vp, v else retries = INT_MAX; - if (unlock_vp) - VOP_UNLOCK(vp, 0); - /* * We need to switch to mount-point creds so that we can send - * packets from a privileged port. + * packets from a privileged port. Reference mnt_cred and + * switch to them before unlocking the vnode, since mount + * point could be unmounted right after unlock. */ cred = td->td_ucred; td->td_ucred = vp->v_mount->mnt_cred; + crhold(td->td_ucred); + if (unlock_vp) + VOP_UNLOCK(vp, 0); host = nlm_find_host_by_name(servername, sa, vers); auth = authunix_create(cred); @@ -373,7 +375,9 @@ nlm_advlock_internal(struct vnode *vp, v if (ns) nlm_free_svid(ns); + cred1 = td->td_ucred; td->td_ucred = cred; + crfree(cred1); AUTH_DESTROY(auth); nlm_host_release(host);