svn commit: r357307 - head/sys/kern
Mateusz Guzik
mjg at FreeBSD.org
Thu Jan 30 19:38:13 UTC 2020
Author: mjg
Date: Thu Jan 30 19:38:12 2020
New Revision: 357307
URL: https://svnweb.freebsd.org/changeset/base/357307
Log:
vfs: keep the mount point referenced across sys_quotactl
Otherwise we risk running into use-after-free.
In particular this codepath ends up dropping all protection before
suspending writes:
ufs_quotactl -> quotaoff_inchange -> vfs_write_suspend_umnt
Reported by: pho
Modified:
head/sys/kern/vfs_syscalls.c
Modified: head/sys/kern/vfs_syscalls.c
==============================================================================
--- head/sys/kern/vfs_syscalls.c Thu Jan 30 19:34:37 2020 (r357306)
+++ head/sys/kern/vfs_syscalls.c Thu Jan 30 19:38:12 2020 (r357307)
@@ -189,9 +189,10 @@ sys_quotactl(struct thread *td, struct quotactl_args *
vfs_ref(mp);
vput(nd.ni_vp);
error = vfs_busy(mp, 0);
- vfs_rel(mp);
- if (error != 0)
+ if (error != 0) {
+ vfs_rel(mp);
return (error);
+ }
error = VFS_QUOTACTL(mp, uap->cmd, uap->uid, uap->arg);
/*
@@ -208,6 +209,7 @@ sys_quotactl(struct thread *td, struct quotactl_args *
if ((uap->cmd >> SUBCMDSHIFT) != Q_QUOTAON &&
(uap->cmd >> SUBCMDSHIFT) != Q_QUOTAOFF)
vfs_unbusy(mp);
+ vfs_rel(mp);
return (error);
}
More information about the svn-src-head
mailing list