Fri Apr 19 00:45:41 2024 UTC (20d)

dounmount: Avoid &((struct vnode_impl *)NULL)->vi_vnode.

Member access of a null pointer is undefined, even if the result
should also be null because vi_vnode is at the start of vnode_impl.

Reported-by: syzbot+a4b2d13c0d6d4dac2d07@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?extid=a4b2d13c0d6d4dac2d07


(riastradh)

diff -r1.104 -r1.105 src/sys/kern/vfs_mount.c

--- src/sys/kern/vfs_mount.c 2024/01/17 10:17:29	1.104
+++ src/sys/kern/vfs_mount.c 2024/04/19 00:45:41	1.105

 @@ -1,14 +1,14 @@
-/*	$NetBSD: vfs_mount.c,v 1.104 2024/01/17 10:17:29 hannken Exp $	*/
+/*	$NetBSD: vfs_mount.c,v 1.105 2024/04/19 00:45:41 riastradh Exp $	*/
 /*-
  * Copyright (c) 1997-2020 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This code is derived from software contributed to The NetBSD Foundation
  * by Jason R. Thorpe of the Numerical Aerospace Simulation Facility,
  * NASA Ames Research Center, by Charles M. Hannum, and by Andrew Doran.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
 @@ -57,27 +57,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)vfs_subr.c	8.13 (Berkeley) 4/18/94
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_mount.c,v 1.104 2024/01/17 10:17:29 hannken Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_mount.c,v 1.105 2024/04/19 00:45:41 riastradh Exp $");
 #include "veriexec.h"
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/atomic.h>
 #include <sys/buf.h>
 #include <sys/conf.h>
 #include <sys/fcntl.h>
 #include <sys/filedesc.h>
 #include <sys/device.h>
 #include <sys/kauth.h>
 @@ -926,27 +926,28 @@ err_mounted:
 	return error;
+}
 /*
  * Do the actual file system unmount.  File system is assumed to have
  * been locked by the caller.
+ *
  * => Caller hold reference to the mount, explicitly for dounmount().
  */
 int
 dounmount(struct mount *mp, int flags, struct lwp *l)
+{
-	vnode_t *coveredvp, *vp;
+	struct vnode *coveredvp, *vp;
 	struct vnode_impl *vip;
 	int error, async, used_syncer, used_extattr;
 	const bool was_suspended = fstrans_is_owner(mp);
 #if NVERIEXEC > 0
 	error = veriexec_unmountchk(mp);
 	if (error)
 		return (error);
 #endif /* NVERIEXEC > 0 */
 	if (!was_suspended) {
 		error = vfs_suspend(mp, 0);
 		if (error) {
 			return error;
 @@ -993,27 +994,29 @@ dounmount(struct mount *mp, int flags, s
 	/*
 	 * mark filesystem as gone to prevent further umounts
 	 * after mnt_umounting lock is gone, this also prevents
 	 * vfs_busy() from succeeding.
 	 */
 	mp->mnt_iflag |= IMNT_GONE;
 	if ((coveredvp = mp->mnt_vnodecovered) != NULLVP) {
 		coveredvp->v_mountedhere = NULL;
+	}
 	if (!was_suspended)
 		vfs_resume(mp);
 	mountlist_remove(mp);
 	if ((vp = VIMPL_TO_VNODE(TAILQ_FIRST(&mp->mnt_vnodelist))) != NULL) {
 	if ((vip = TAILQ_FIRST(&mp->mnt_vnodelist)) != NULL) {
 		vp = VIMPL_TO_VNODE(vip);
 		vprint("dangling", vp);
 		panic("unmount: dangling vnode");
+	}
 	vfs_hooks_unmount(mp);
 	vfs_set_lowermount(mp, NULL);
 	vfs_rele(mp);	/* reference from mount() */
 	if (coveredvp != NULLVP) {
 		vrele(coveredvp);
+	}
 	return (0);
+}