From owner-svn-src-all@freebsd.org Mon Aug 21 16:23:45 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA64FDE623F; Mon, 21 Aug 2017 16:23:45 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B9F9C7663F; Mon, 21 Aug 2017 16:23:45 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v7LGNixF094839; Mon, 21 Aug 2017 16:23:44 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v7LGNiuc094838; Mon, 21 Aug 2017 16:23:44 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201708211623.v7LGNiuc094838@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Mon, 21 Aug 2017 16:23:44 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r322757 - head/sys/ufs/ffs X-SVN-Group: head X-SVN-Commit-Author: kib X-SVN-Commit-Paths: head/sys/ufs/ffs X-SVN-Commit-Revision: 322757 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Aug 2017 16:23:46 -0000 Author: kib Date: Mon Aug 21 16:23:44 2017 New Revision: 322757 URL: https://svnweb.freebsd.org/changeset/base/322757 Log: Avoid dereferencing potentially freed workitem in softdep_count_dependencies(). Buffer's b_dep list is protected by the SU mount lock. Owning the buffer lock is not enough to guarantee the stability of the list. Calculation of the UFS mount owning the workitems from the buffer must be much more careful to not dereference the work item which might be freed meantime. To get to ump, use the pointers chain which does not involve workitems at all. Reported and tested by: pho Reviewed by: mckusick Sponsored by: The FreeBSD Foundation MFC after: 2 weeks Modified: head/sys/ufs/ffs/ffs_softdep.c Modified: head/sys/ufs/ffs/ffs_softdep.c ============================================================================== --- head/sys/ufs/ffs/ffs_softdep.c Mon Aug 21 16:16:02 2017 (r322756) +++ head/sys/ufs/ffs/ffs_softdep.c Mon Aug 21 16:23:44 2017 (r322757) @@ -13919,12 +13919,36 @@ softdep_count_dependencies(bp, wantcount) struct newblk *newblk; struct mkdir *mkdir; struct diradd *dap; + struct vnode *vp; + struct mount *mp; int i, retval; retval = 0; - if ((wk = LIST_FIRST(&bp->b_dep)) == NULL) + if (LIST_EMPTY(&bp->b_dep)) return (0); - ump = VFSTOUFS(wk->wk_mp); + vp = bp->b_vp; + + /* + * The ump mount point is stable after we get a correct + * pointer, since bp is locked and this prevents unmount from + * proceed. But to get to it, we cannot dereference bp->b_dep + * head wk_mp, because we do not yet own SU ump lock and + * workitem might be freed while dereferenced. + */ +retry: + if (vp->v_type == VCHR) { + VOP_LOCK(vp, LK_RETRY | LK_EXCLUSIVE); + mp = vp->v_type == VCHR ? vp->v_rdev->si_mountpt : NULL; + VOP_UNLOCK(vp, 0); + if (mp == NULL) + goto retry; + } else if (vp->v_type == VREG) { + mp = vp->v_mount; + } else { + return (0); + } + ump = VFSTOUFS(mp); + ACQUIRE_LOCK(ump); LIST_FOREACH(wk, &bp->b_dep, wk_list) { switch (wk->wk_type) {