MFC r294595:

When devfs dirent is freed, a vnode might still keep a pointer to it, apparently. Interlock and clear the pointer to avoid free memory dereference. Approved by: re (marius)
author: kib <kib@FreeBSD.org> 2016-02-14 17:21:19 +0000
committer: kib <kib@FreeBSD.org> 2016-02-14 17:21:19 +0000
commit: 8b9d16815392c18a9a8b20089db0506d3b80e711 (patch)
tree: 9907ca1d520bba25645f781a277dd6ec3aa0e246
parent: a3f0577ed04b6c469cd8c282522893364bebcf3f (diff)
download: FreeBSD-src-8b9d16815392c18a9a8b20089db0506d3b80e711.zip
FreeBSD-src-8b9d16815392c18a9a8b20089db0506d3b80e711.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/fs/devfs/devfs_devs.c b/sys/fs/devfs/devfs_devs.c
index 5070985..4723a63 100644
--- a/sys/fs/devfs/devfs_devs.c
+++ b/sys/fs/devfs/devfs_devs.c
@@ -304,6 +304,13 @@ devfs_vmkdir(struct devfs_mount *dmp, char *name, int namelen, struct devfs_dire
 void
 devfs_dirent_free(struct devfs_dirent *de)
 {
+	struct vnode *vp;
+
+	vp = de->de_vnode;
+	mtx_lock(&devfs_de_interlock);
+	if (vp != NULL && vp->v_data == de)
+		vp->v_data = NULL;
+	mtx_unlock(&devfs_de_interlock);
 	free(de, M_DEVFS3);
 }
author	kib <kib@FreeBSD.org>	2016-02-14 17:21:19 +0000
committer	kib <kib@FreeBSD.org>	2016-02-14 17:21:19 +0000
commit	8b9d16815392c18a9a8b20089db0506d3b80e711 (patch)
tree	9907ca1d520bba25645f781a277dd6ec3aa0e246
parent	a3f0577ed04b6c469cd8c282522893364bebcf3f (diff)
download	FreeBSD-src-8b9d16815392c18a9a8b20089db0506d3b80e711.zip FreeBSD-src-8b9d16815392c18a9a8b20089db0506d3b80e711.tar.gz