zfs_deleteextattr: name buffer from namei is needed by zfs_rename

If we prematurely free the name buffer and it gets quickly recycled, then zfs_rename may see data from another lookup or even unmapped memory via cn_nameptr. MFC after: 6 days Sponsored by: HybridCluster
2014-01-16 12:31:27 +00:00 · 2014-01-16 12:31:27 +00:00 · 113f9a4f53
commit 113f9a4f53
parent 31b7f68d80
1 changed files with 3 additions and 1 deletions
--- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
+++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
@ -6774,14 +6774,16 @@ vop_deleteextattr {
 	    UIO_SYSSPACE, attrname, xvp, td);
 	error = namei(&nd);
 	vp = nd.ni_vp;
-	NDFREE(&nd, NDF_ONLY_PNBUF);
 	if (error != 0) {
 		ZFS_EXIT(zfsvfs);
+		NDFREE(&nd, NDF_ONLY_PNBUF);
 		if (error == ENOENT)
 			error = ENOATTR;
 		return (error);
 	}
+
 	error = VOP_REMOVE(nd.ni_dvp, vp, &nd.ni_cnd);
+	NDFREE(&nd, NDF_ONLY_PNBUF);

 	vput(nd.ni_dvp);
 	if (vp == nd.ni_dvp)