From 6434a2662ab1393315c379a172fdfd57a1b98f42 Mon Sep 17 00:00:00 2001 From: claudio Date: Tue, 16 Apr 2024 10:04:41 +0000 Subject: [PATCH] Call bufq_destroy() in mfs_reclaim() before freeing the mfsnode. This fixes a use-after-free bug in bufq_quiesce() once a mfs partition was unmounted. OK mpi@ deraadt@ --- sys/ufs/mfs/mfs_vnops.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sys/ufs/mfs/mfs_vnops.c b/sys/ufs/mfs/mfs_vnops.c index c3d5ffe54f6..f238af20326 100644 --- a/sys/ufs/mfs/mfs_vnops.c +++ b/sys/ufs/mfs/mfs_vnops.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mfs_vnops.c,v 1.60 2022/06/26 05:20:43 visa Exp $ */ +/* $OpenBSD: mfs_vnops.c,v 1.61 2024/04/16 10:04:41 claudio Exp $ */ /* $NetBSD: mfs_vnops.c,v 1.8 1996/03/17 02:16:32 christos Exp $ */ /* @@ -237,6 +237,9 @@ mfs_reclaim(void *v) { struct vop_reclaim_args *ap = v; struct vnode *vp = ap->a_vp; + struct mfsnode *mfsp = VTOMFS(vp); + + bufq_destroy(&mfsp->mfs_bufq); free(vp->v_data, M_MFSNODE, sizeof(struct mfsnode)); vp->v_data = NULL; -- 2.20.1