From b8db4ef5ee5504403408483bc418a100cbec31cc Mon Sep 17 00:00:00 2001
From: claudio <claudio@openbsd.org>
Date: Tue, 16 Apr 2024 10:06:37 +0000
Subject: [PATCH] Call bufq_destroy() in swap_off for the VREG case since
 swap_on() called bufq_init(). Similar issue as the use-after-free in mfs.
 Missing call noticed by jsg@ OK deraadt@ mpi@

---
 sys/uvm/uvm_swap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/uvm/uvm_swap.c b/sys/uvm/uvm_swap.c
index 8c705f2182f..fc0382fd224 100644
--- a/sys/uvm/uvm_swap.c
+++ b/sys/uvm/uvm_swap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_swap.c,v 1.169 2024/02/03 18:51:59 beck Exp $	*/
+/*	$OpenBSD: uvm_swap.c,v 1.170 2024/04/16 10:06:37 claudio Exp $	*/
 /*	$NetBSD: uvm_swap.c,v 1.40 2000/11/17 11:39:39 mrg Exp $	*/
 
 /*
@@ -1088,6 +1088,7 @@ swap_off(struct proc *p, struct swapdev *sdp)
 	 */
 	if (sdp->swd_vp->v_type == VREG) {
 		crfree(sdp->swd_cred);
+		bufq_destroy(&sdp->swd_bufq);
 	}
 	vrele(sdp->swd_vp);
 	if (sdp->swd_vp != rootvp) {
-- 
2.20.1