From: claudio <claudio@openbsd.org>
Date: Tue, 16 Apr 2024 10:04:41 +0000 (+0000)
Subject: Call bufq_destroy() in mfs_reclaim() before freeing the mfsnode.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=6434a2662ab1393315c379a172fdfd57a1b98f42;p=openbsd

Call bufq_destroy() in mfs_reclaim() before freeing the mfsnode.
This fixes a use-after-free bug in bufq_quiesce() once a mfs partition
was unmounted.
OK mpi@ deraadt@
---

diff --git a/sys/ufs/mfs/mfs_vnops.c b/sys/ufs/mfs/mfs_vnops.c
index c3d5ffe54f6..f238af20326 100644
--- a/sys/ufs/mfs/mfs_vnops.c
+++ b/sys/ufs/mfs/mfs_vnops.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mfs_vnops.c,v 1.60 2022/06/26 05:20:43 visa Exp $	*/
+/*	$OpenBSD: mfs_vnops.c,v 1.61 2024/04/16 10:04:41 claudio Exp $	*/
 /*	$NetBSD: mfs_vnops.c,v 1.8 1996/03/17 02:16:32 christos Exp $	*/
 
 /*
@@ -237,6 +237,9 @@ mfs_reclaim(void *v)
 {
 	struct vop_reclaim_args *ap = v;
 	struct vnode *vp = ap->a_vp;
+	struct mfsnode *mfsp = VTOMFS(vp);
+
+	bufq_destroy(&mfsp->mfs_bufq);
 
 	free(vp->v_data, M_MFSNODE, sizeof(struct mfsnode));
 	vp->v_data = NULL;