8805 xattr_dir_lookup() can leak a vnode hold

Reviewed by: Marcel Telka <marcel@telka.sk> Reviewed by: Gordon Ross <gordon.w.ross@gmail.com> Approved by: Dan McDonald <danmcd@joyent.com>
author: Vitaliy Gusev <gusev.vitaliy@gmail.com> 2017-11-15 00:50:09 +0300
committer: Dan McDonald <danmcd@joyent.com> 2018-01-24 09:32:29 -0500
commit: f4f14d92e23977993fc16fdcece27ba510a6d40b (patch)
tree: 69023859e7c7f68c3167adab297c0dbcff863215
parent: d7db73d165ff4802d277d375e93877471457fed7 (diff)
download: illumos-joyent-f4f14d92e23977993fc16fdcece27ba510a6d40b.tar.gz
1 files changed, 3 insertions, 7 deletions
diff --git a/usr/src/uts/common/fs/xattr.c b/usr/src/uts/common/fs/xattr.c
index 0c5ddde20d..2326a42747 100644
--- a/usr/src/uts/common/fs/xattr.c
+++ b/usr/src/uts/common/fs/xattr.c
@@ -1664,22 +1664,18 @@ xattr_dir_lookup(vnode_t *dvp, vnode_t **vpp, int flags, cred_t *cr)
 
 			ASSERT((*vpp)->v_count == 1);
 			vn_free(*vpp);
+			VN_RELE_LOCKED(dvp);
 
 			mutex_destroy(&dp->gfsd_lock);
 			kmem_free(dp->gfsd_static,
 			    dp->gfsd_nstatic * sizeof (gfs_dirent_t));
 			kmem_free(dp, dp->gfsd_file.gfs_size);
 
-			/*
-			 * There is an implied VN_HOLD(dvp) here.  We should
-			 * be doing a VN_RELE(dvp) to clean up the reference
-			 * from *vpp, and then a VN_HOLD(dvp) for the new
-			 * reference.  Instead, we just leave the count alone.
-			 */
-
+			/* dvp was held by winner in gfs_dir_create */
 			*vpp = dvp->v_xattrdir;
 			VN_HOLD(*vpp);
 		} else {
+			/* winner */
 			(*vpp)->v_flag |= (V_XATTRDIR|V_SYSATTR);
 			dvp->v_xattrdir = *vpp;
 		}
author	Vitaliy Gusev <gusev.vitaliy@gmail.com>	2017-11-15 00:50:09 +0300
committer	Dan McDonald <danmcd@joyent.com>	2018-01-24 09:32:29 -0500
commit	f4f14d92e23977993fc16fdcece27ba510a6d40b (patch)
tree	69023859e7c7f68c3167adab297c0dbcff863215
parent	d7db73d165ff4802d277d375e93877471457fed7 (diff)
download	illumos-joyent-f4f14d92e23977993fc16fdcece27ba510a6d40b.tar.gz