git: 5ae9f8e9ac5e - main - md: Restore guards in mddestroy()

Thu, 03 Jul 2025 08:20:44 -0700 

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=5ae9f8e9ac5e1307fed4f7f2549347576f01b3fa

commit 5ae9f8e9ac5e1307fed4f7f2549347576f01b3fa
Author:     Mark Johnston <ma...@freebsd.org>
AuthorDate: 2025-07-03 13:10:49 +0000
Commit:     Mark Johnston <ma...@freebsd.org>
CommitDate: 2025-07-03 15:10:41 +0000

    md: Restore guards in mddestroy()
    
    mddestroy() may be invoked on a partially constructed md device.
    Restore the guards that handled this prior to commit e91022168101.
    
    Reported by:    syzbot+a0ff73f664de8757c...@syzkaller.appspotmail.com
    Reported by:    syzbot+7b4a4824bf8154828...@syzkaller.appspotmail.com
    Reviewed by:    kib
    Fixes:          e91022168101 ("md(4): move type-specific data under union")
    Differential Revision:  https://reviews.freebsd.org/D51145
---
 sys/dev/md/md.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/sys/dev/md/md.c b/sys/dev/md/md.c
index b842d4f2fd8e..741a7c013f7d 100644
--- a/sys/dev/md/md.c
+++ b/sys/dev/md/md.c
@@ -1559,19 +1559,26 @@ mddestroy(struct md_s *sc, struct thread *td)
        mtx_destroy(&sc->queue_mtx);
        switch (sc->type) {
        case MD_VNODE:
-               vn_lock(sc->s_vnode.vnode, LK_EXCLUSIVE | LK_RETRY);
-               sc->s_vnode.vnode->v_vflag &= ~VV_MD;
-               VOP_UNLOCK(sc->s_vnode.vnode);
-               (void)vn_close(sc->s_vnode.vnode, sc->flags & MD_READONLY ?
-                   FREAD : (FREAD|FWRITE), sc->cred, td);
-               kva_free(sc->s_vnode.kva, maxphys + PAGE_SIZE);
+               if (sc->s_vnode.vnode != NULL) {
+                       vn_lock(sc->s_vnode.vnode, LK_EXCLUSIVE | LK_RETRY);
+                       sc->s_vnode.vnode->v_vflag &= ~VV_MD;
+                       VOP_UNLOCK(sc->s_vnode.vnode);
+                       (void)vn_close(sc->s_vnode.vnode,
+                           sc->flags & MD_READONLY ?  FREAD : (FREAD|FWRITE),
+                           sc->cred, td);
+               }
+               if (sc->s_vnode.kva != 0)
+                       kva_free(sc->s_vnode.kva, maxphys + PAGE_SIZE);
                break;
        case MD_SWAP:
-               vm_object_deallocate(sc->s_swap.object);
+               if (sc->s_swap.object != NULL)
+                       vm_object_deallocate(sc->s_swap.object);
                break;
        case MD_MALLOC:
-               destroy_indir(sc, sc->s_malloc.indir);
-               uma_zdestroy(sc->s_malloc.uma);
+               if (sc->s_malloc.indir != NULL)
+                       destroy_indir(sc, sc->s_malloc.indir);
+               if (sc->s_malloc.uma != NULL)
+                       uma_zdestroy(sc->s_malloc.uma);
                break;
        case MD_PRELOAD:
        case MD_NULL:

Reply via email to