git.proxmox.com Git - mirror

author	Chunwei Chen <tuxoko@gmail.com>
	Fri, 20 Jan 2023 00:59:05 +0000 (16:59 -0800)
committer	GitHub <noreply@github.com>
	Fri, 20 Jan 2023 00:59:05 +0000 (16:59 -0800)
commit	c6dab6dd39214d587c7013e8c6dfeb085e3eb41c
tree	c0ec00fc4945800b7b8103d2abb3a42a26e9763e	tree
parent	a379083d9f2bb9dd80f4636e593bcb2c1d94d11b	commit \| diff

Fix unprotected zfs_znode_dmu_fini

In original code, zfs_znode_dmu_fini is called in zfs_rmnode without
zfs_znode_hold_enter. It seems to assume it's ok to do so when the znode
is unlinked. However this assumption is not correct, as zfs_zget can be
called by NFS through zpl_fh_to_dentry as pointed out by Christian in
https://github.com/openzfs/zfs/pull/12767, which could result in a
use-after-free bug.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Co-authored-by: Ryan Moeller <ryan@iXsystems.com>
Signed-off-by: Chunwei Chen <david.chen@nutanix.com>
Signed-off-by: Ryan Moeller <ryan@iXsystems.com>
Closes #12767
Closes #14364

include/sys/zfs_znode.h		diff \| blob \| blame \| history
module/os/freebsd/zfs/zfs_dir.c		diff \| blob \| blame \| history
module/os/freebsd/zfs/zfs_znode.c		diff \| blob \| blame \| history
module/os/linux/zfs/zfs_dir.c		diff \| blob \| blame \| history
module/os/linux/zfs/zfs_znode.c		diff \| blob \| blame \| history