]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 590c9a0) | patch
Fix get_zfs_sb race with concurrent umount
authorChunwei Chen <david.chen@osnexus.com>
Fri, 8 Jul 2016 23:59:54 +0000 (16:59 -0700)
committerBrian Behlendorf <behlendorf1@llnl.gov>
Tue, 12 Jul 2016 20:34:14 +0000 (13:34 -0700)
commit061460dfe222e01f258db7f6bad689c1ebd2634e
treed83a88afb23bbb9b4e667fdce511629898ed5843tree | snapshot
parent590c9a09946939a389e1f01dadd27efb4b2fe8fdcommit | diff
Fix get_zfs_sb race with concurrent umount

Certain ioctl operations will call get_zfs_sb, which will holds an active
count on sb without checking whether it's active or not. This will result
in use-after-free. We fix this by using atomic_inc_not_zero to make sure
we got an active sb.

P1                                          P2
---                                         ---
deactivate_locked_super(): s_active = 0
                                            zfs_sb_hold()
                                            ->get_zfs_sb(): s_active = 1
->zpl_kill_sb()
-->zpl_put_super()
--->zfs_umount()
---->zfs_sb_free(zsb)
                                            zfs_sb_rele(zsb)

Signed-off-by: Chunwei Chen <david.chen@osnexus.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
module/zfs/zfs_ioctl.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.