[PATCH 3/4] fs: Fix use after free
Sascha Hauer
s.hauer at pengutronix.de
Mon Sep 14 09:06:39 EDT 2020
In case of the fs mounted to '/' the root dentry of the mounted
filesystem is the place where it's mounted itself, so sb->s_root
is the same as fsdev->vfsmount.mountpoint. In that case make
sure we only access it before it has been killed in
dentry_delete_subtree().
Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
fs/fs.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/fs.c b/fs/fs.c
index a6c6f0cc93..5784e9c1f3 100644
--- a/fs/fs.c
+++ b/fs/fs.c
@@ -667,14 +667,14 @@ static void fs_remove(struct device_d *dev)
if (fsdev->loop && fsdev->cdev)
cdev_remove_loop(fsdev->cdev);
+ if (fsdev->vfsmount.mountpoint)
+ fsdev->vfsmount.mountpoint->d_flags &= ~DCACHE_MOUNTED;
+
dentry_delete_subtree(sb, sb->s_root);
list_for_each_entry_safe(inode, tmp, &sb->s_inodes, i_sb_list)
destroy_inode(inode);
- if (fsdev->vfsmount.mountpoint)
- fsdev->vfsmount.mountpoint->d_flags &= ~DCACHE_MOUNTED;
-
mntput(fsdev->vfsmount.parent);
free(fsdev->backingstore);
--
2.28.0
More information about the barebox
mailing list