[PATCH 3/4] fs: Fix use after free

Sascha Hauer s.hauer at pengutronix.de
Mon Sep 14 09:06:39 EDT 2020


In case of the fs mounted to '/' the root dentry of the mounted
filesystem is the place where it's mounted itself, so sb->s_root
is the same as fsdev->vfsmount.mountpoint. In that case make
sure we only access it before it has been killed in
dentry_delete_subtree().

Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
 fs/fs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/fs.c b/fs/fs.c
index a6c6f0cc93..5784e9c1f3 100644
--- a/fs/fs.c
+++ b/fs/fs.c
@@ -667,14 +667,14 @@ static void fs_remove(struct device_d *dev)
 	if (fsdev->loop && fsdev->cdev)
 		cdev_remove_loop(fsdev->cdev);
 
+	if (fsdev->vfsmount.mountpoint)
+		fsdev->vfsmount.mountpoint->d_flags &= ~DCACHE_MOUNTED;
+
 	dentry_delete_subtree(sb, sb->s_root);
 
 	list_for_each_entry_safe(inode, tmp, &sb->s_inodes, i_sb_list)
 		destroy_inode(inode);
 
-	if (fsdev->vfsmount.mountpoint)
-		fsdev->vfsmount.mountpoint->d_flags &= ~DCACHE_MOUNTED;
-
 	mntput(fsdev->vfsmount.parent);
 
 	free(fsdev->backingstore);
-- 
2.28.0




More information about the barebox mailing list