Diffusion FreeBSD src repository 061460dfe222

Fix get_zfs_sb race with concurrent umount
061460dfe222
Actions

Description

Fix get_zfs_sb race with concurrent umount

Certain ioctl operations will call get_zfs_sb, which will holds an active
count on sb without checking whether it's active or not. This will result
in use-after-free. We fix this by using atomic_inc_not_zero to make sure
we got an active sb.

P1 P2

deactivate_locked_super(): s_active = 0

zfs_sb_hold()
->get_zfs_sb(): s_active = 1

->zpl_kill_sb()
-->zpl_put_super()
--->zfs_umount()
---->zfs_sb_free(zsb)

zfs_sb_rele(zsb)

Signed-off-by: Chunwei Chen <david.chen@osnexus.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>

Details

Provenance

Chunwei Chen <david.chen@osnexus.com>	Authored on Jul 8 2016, 11:59 PM
Brian Behlendorf <behlendorf1@llnl.gov>	Committed on Jul 12 2016, 8:34 PM

Parents

rG590c9a099469: Allow building with `CFLAGS="-O0"`

Branches

Unknown

Tags

Unknown

Event Timeline

Brian Behlendorf <behlendorf1@llnl.gov> committed rG061460dfe222: Fix get_zfs_sb race with concurrent umount (authored by Chunwei Chen <david.chen@osnexus.com>).Jul 12 2016, 8:34 PM

Changes (1)

Path

Size

module/

zfs/

zfs_ioctl.c

rG061460dfe222

View Options