Date: Thu, 30 Jan 2020 19:38:12 +0000 (UTC) From: Mateusz Guzik <mjg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r357307 - head/sys/kern Message-ID: <202001301938.00UJcCdQ092119@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mjg Date: Thu Jan 30 19:38:12 2020 New Revision: 357307 URL: https://svnweb.freebsd.org/changeset/base/357307 Log: vfs: keep the mount point referenced across sys_quotactl Otherwise we risk running into use-after-free. In particular this codepath ends up dropping all protection before suspending writes: ufs_quotactl -> quotaoff_inchange -> vfs_write_suspend_umnt Reported by: pho Modified: head/sys/kern/vfs_syscalls.c Modified: head/sys/kern/vfs_syscalls.c ============================================================================== --- head/sys/kern/vfs_syscalls.c Thu Jan 30 19:34:37 2020 (r357306) +++ head/sys/kern/vfs_syscalls.c Thu Jan 30 19:38:12 2020 (r357307) @@ -189,9 +189,10 @@ sys_quotactl(struct thread *td, struct quotactl_args * vfs_ref(mp); vput(nd.ni_vp); error = vfs_busy(mp, 0); - vfs_rel(mp); - if (error != 0) + if (error != 0) { + vfs_rel(mp); return (error); + } error = VFS_QUOTACTL(mp, uap->cmd, uap->uid, uap->arg); /* @@ -208,6 +209,7 @@ sys_quotactl(struct thread *td, struct quotactl_args * if ((uap->cmd >> SUBCMDSHIFT) != Q_QUOTAON && (uap->cmd >> SUBCMDSHIFT) != Q_QUOTAOFF) vfs_unbusy(mp); + vfs_rel(mp); return (error); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202001301938.00UJcCdQ092119>