Linux: Fix use-after-free in zfsvfs_create()
9f1691a96466
Actions

Description

Linux: Fix use-after-free in zfsvfs_create()

Coverity reported that we pass a pointer to zfsvfs to
dmu_objset_disown() after freeing zfsvfs in zfsvfs_create_impl() after
a failure in zfsvfs_init().

We have nearly identical duplicate versions of this code for FreeBSD and
Linux, but interestingly, the FreeBSD version of this code differs in
such a way that it does not suffer from this bug. We remove the
difference from the FreeBSD version to fix this bug.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13883

Details

Provenance

Richard Yao <richard.yao@alumni.stonybrook.edu>	Authored on Sep 20 2022, 12:30 AM
Tony Hutter <hutter2@llnl.gov>	Committed on Dec 1 2022, 8:39 PM

Parents

rG12b859c97079: Fix null pointer dereferences in PAM

Branches

Unknown

Tags

Unknown

Event Timeline

Tony Hutter <hutter2@llnl.gov> committed rG9f1691a96466: Linux: Fix use-after-free in zfsvfs_create() (authored by Richard Yao <richard.yao@alumni.stonybrook.edu>).Dec 1 2022, 8:39 PM

Changes (1)

Path

Size

module/

os/

linux/

zfs/

zfs_vfsops.c

rG9f1691a96466

View Options

module/os/linux/zfs/zfs_vfsops.c