From: Matthew Dillon <dillon@apollo.backplane.com>
Date: Mon, 29 Mar 2010 20:52:11 +0000 (-0700)
Subject: kernel - Fix NULL pointer dereference on forced unmount
X-Git-Tag: v2.7.1~37^2~47
X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/1e49b98c24fe6d4737f144108ae1898b6c977757

kernel - Fix NULL pointer dereference on forced unmount

* Forced unmounts forcefully remove vnodes from a mount but failed
  to reassociate those vnodes with a dummy mount.  Reassociate the
  vnodes with a dummy mount to avoid a NULL pointer dereference.

Reported-by: Saifi Khan <saifi.khan@datasynergy.org>
---

diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c
index 3e1dd00c3b..ffaf7b5fa4 100644
--- a/sys/kern/vfs_mount.c
+++ b/sys/kern/vfs_mount.c
@@ -1254,24 +1254,16 @@ vflush_scan(struct mount *mp, struct vnode *vp, void *data)
 	}
 
 	/*
-	 * If FORCECLOSE is set, forcibly close the vnode. For block
-	 * or character devices we just clean and leave the vp
-	 * associated with devfs.  For all other files, just kill them.
-	 *
-	 * XXX we need to do something about devfs here, I'd rather not
-	 *     blow away device associations.
+	 * If FORCECLOSE is set, forcibly destroy the vnode and then move
+	 * it to a dummymount structure so vop_*() functions don't deref
+	 * a NULL pointer.
 	 */
 	if (info->flags & FORCECLOSE) {
+		vhold(vp);
 		vgone_vxlocked(vp);
-#if 0
-		if (vp->v_type != VBLK && vp->v_type != VCHR) {
-			vgone_vxlocked(vp);
-		} else {
-			vclean_vxlocked(vp, 0);
-			/*vp->v_ops = &devfs_vnode_dev_vops_p;*/
-			insmntque(vp, NULL);
-		}
-#endif
+		if (vp->v_mount == NULL)
+			insmntque(vp, &dummymount);
+		vdrop(vp);
 		return(0);
 	}
 #ifdef DIAGNOSTIC