Tue Sep 29 11:17:00 2009 UTC ()
Give rump_sys_unmount() in ukfs_release() a curlwp context.  This
prevents use-after-free and should fix crashy cases reported by
Arnaud Ysmal.


(pooka)
diff -r1.35 -r1.36 src/lib/libukfs/ukfs.c
cvs diff -r1.35 -r1.36 src/lib/libukfs/ukfs.c (expand / switch to unified diff)

--- src/lib/libukfs/ukfs.c 2009/08/04 12:37:14 1.35
+++ src/lib/libukfs/ukfs.c 2009/09/29 11:17:00 1.36
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: ukfs.c,v 1.35 2009/08/04 12:37:14 pooka Exp $ */ 1/* $NetBSD: ukfs.c,v 1.36 2009/09/29 11:17:00 pooka Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2007, 2008 Antti Kantee. All Rights Reserved. 4 * Copyright (c) 2007, 2008 Antti Kantee. All Rights Reserved.
5 * 5 *
6 * Development of this software was supported by the 6 * Development of this software was supported by the
7 * Finnish Cultural Foundation. 7 * Finnish Cultural Foundation.
8 * 8 *
9 * Redistribution and use in source and binary forms, with or without 9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions 10 * modification, are permitted provided that the following conditions
11 * are met: 11 * are met:
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright 14 * 2. Redistributions in binary form must reproduce the above copyright
@@ -298,27 +298,29 @@ ukfs_mount(const char *vfsname, const ch @@ -298,27 +298,29 @@ ukfs_mount(const char *vfsname, const ch
298} 298}
299 299
300int 300int
301ukfs_release(struct ukfs *fs, int flags) 301ukfs_release(struct ukfs *fs, int flags)
302{ 302{
303 303
304 if ((flags & UKFS_RELFLAG_NOUNMOUNT) == 0) { 304 if ((flags & UKFS_RELFLAG_NOUNMOUNT) == 0) {
305 int rv, mntflag; 305 int rv, mntflag;
306 306
307 ukfs_chdir(fs, "/"); 307 ukfs_chdir(fs, "/");
308 mntflag = 0; 308 mntflag = 0;
309 if (flags & UKFS_RELFLAG_FORCE) 309 if (flags & UKFS_RELFLAG_FORCE)
310 mntflag = MNT_FORCE; 310 mntflag = MNT_FORCE;
 311 rump_setup_curlwp(nextpid(fs), 1, 1);
311 rv = rump_sys_unmount(fs->ukfs_mountpath, mntflag); 312 rv = rump_sys_unmount(fs->ukfs_mountpath, mntflag);
 313 rump_clear_curlwp();
312 if (rv) { 314 if (rv) {
313 ukfs_chdir(fs, fs->ukfs_mountpath); 315 ukfs_chdir(fs, fs->ukfs_mountpath);
314 errno = rv; 316 errno = rv;
315 return -1; 317 return -1;
316 } 318 }
317 } 319 }
318 320
319 if (fs->ukfs_devpath) { 321 if (fs->ukfs_devpath) {
320 rump_etfs_remove(fs->ukfs_devpath); 322 rump_etfs_remove(fs->ukfs_devpath);
321 free(fs->ukfs_devpath); 323 free(fs->ukfs_devpath);
322 } 324 }
323 free(fs->ukfs_mountpath); 325 free(fs->ukfs_mountpath);
324 326