Fixed a NULL pointer dereference bug in zfs_preumount

When zpl_fill_super -> zfs_domount fails (e.g. because the dataset
was destroyed before it could be successfully mounted) the subsequent
call to zpl_kill_sb -> zfs_preumount would derefence a NULL pointer.

This bug can be reproduced using this shell script:

 #!/bin/sh
 (
 while true; do
 	zfs create -o mountpoint=legacz tank/bar
 	zfs destroy tank/bar
 done
 ) &

 (
 while true; do
 	mount -t zfs tank/bar /mnt
 	umount /mnt
 done
 ) &

Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #639
This commit is contained in:
Gunnar Beutner 2012-04-05 10:30:10 +02:00 committed by Brian Behlendorf
parent 2ce9d0ec61
commit 1f0d8a566f

View File

@ -1231,7 +1231,7 @@ zfs_preumount(struct super_block *sb)
{ {
zfs_sb_t *zsb = sb->s_fs_info; zfs_sb_t *zsb = sb->s_fs_info;
if (zsb->z_ctldir != NULL) if (zsb != NULL && zsb->z_ctldir != NULL)
zfsctl_destroy(zsb); zfsctl_destroy(zsb);
} }
EXPORT_SYMBOL(zfs_preumount); EXPORT_SYMBOL(zfs_preumount);