HomeFreeBSD
Diffusion FreeBSD src repository 4036fcb8053a

nfsd: Fix a use after free when vnet prisons are deleted
4036fcb8053a
Actions

Description

nfsd: Fix a use after free when vnet prisons are deleted

The Kasan tests show the nfsrvd_cleancache() results
in a modify after free. I think this occurs because the
nfsrv_cleanup() function gets executed after nfs_cleanup()
which free's the nfsstatsv1_p.

This patch makes them use the same subsystem and sets
SI_ORDER_FIRST for nfs_cleanup(), so that it will be called
after nfsrv_cleanup() via VNET_SYSUNINIT().

The patch also sets nfsstatsv1_p NULL after free'ng it,
so that a crash will result if it is used after free'ng.

Tested by: markj
Reviewed by: markj
MFC after: 3 months
Differential Revision: https://reviews.freebsd.org/D38750

Details

Provenance
rmacklemAuthored on Feb 24 2023, 3:36 PM
Reviewer
markj
Differential Revision
D38750: fix ordering of VNET_SYSUNINIT()s within the nfsd module
Parents
rG70960bb86a3b: ping: Fix unsigned integer underflow resuling in a ping -R segfault
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
sys/
fs/
nfs/

rG4036fcb8053a

View Options

sys/fs/nfs/nfs_commonport.c

Loading...