HomeFreeBSD

nfsd: Fix a use after free when vnet prisons are deleted

Description

nfsd: Fix a use after free when vnet prisons are deleted

The Kasan tests show the nfsrvd_cleancache() results
in a modify after free. I think this occurs because the
nfsrv_cleanup() function gets executed after nfs_cleanup()
which free's the nfsstatsv1_p.

This patch makes them use the same subsystem and sets
SI_ORDER_FIRST for nfs_cleanup(), so that it will be called
after nfsrv_cleanup() via VNET_SYSUNINIT().

The patch also sets nfsstatsv1_p NULL after free'ng it,
so that a crash will result if it is used after free'ng.

(cherry picked from commit 4036fcb8053adf3ac54c8428eef0dd076dfc1718)

Details

Provenance
rmacklemAuthored on Feb 24 2023, 3:36 PM
Parents
rGb4098b4fd6d6: nfscommon: Use IS_DEFAULT_VNET() in the vnet initialization
Branches
Unknown
Tags
Unknown