fs: Fix use after free

In case of the fs mounted to '/' the root dentry of the mounted filesystem is the place where it's mounted itself, so sb->s_root is the same as fsdev->vfsmount.mountpoint. In that case make sure we only access it before it has been killed in dentry_delete_subtree(). Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
author: Sascha Hauer <s.hauer@pengutronix.de> 2020-09-14 14:38:01 +0200
committer: Sascha Hauer <s.hauer@pengutronix.de> 2020-09-14 15:06:21 +0200
commit: 7da130c068bf2bfd115976054ffeebc4d8e80f0a (patch)
tree: 6af46dad31e8a2a3f07198eb5ab1b8d8f0614364 /fs
parent: 86bdbff94565363a9b53f9c3f48bbef549a61607 (diff)
download: barebox-7da130c068bf2bfd115976054ffeebc4d8e80f0a.tar.gz
barebox-7da130c068bf2bfd115976054ffeebc4d8e80f0a.tar.xz
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/fs.c b/fs/fs.c
index a6c6f0cc93..5784e9c1f3 100644
--- a/fs/fs.c
+++ b/fs/fs.c
@@ -667,14 +667,14 @@ static void fs_remove(struct device_d *dev)
 	if (fsdev->loop && fsdev->cdev)
 		cdev_remove_loop(fsdev->cdev);
 
+	if (fsdev->vfsmount.mountpoint)
+		fsdev->vfsmount.mountpoint->d_flags &= ~DCACHE_MOUNTED;
+
 	dentry_delete_subtree(sb, sb->s_root);
 
 	list_for_each_entry_safe(inode, tmp, &sb->s_inodes, i_sb_list)
 		destroy_inode(inode);
 
-	if (fsdev->vfsmount.mountpoint)
-		fsdev->vfsmount.mountpoint->d_flags &= ~DCACHE_MOUNTED;
-
 	mntput(fsdev->vfsmount.parent);
 
 	free(fsdev->backingstore);
author	Sascha Hauer <s.hauer@pengutronix.de>	2020-09-14 14:38:01 +0200
committer	Sascha Hauer <s.hauer@pengutronix.de>	2020-09-14 15:06:21 +0200
commit	7da130c068bf2bfd115976054ffeebc4d8e80f0a (patch)
tree	6af46dad31e8a2a3f07198eb5ab1b8d8f0614364 /fs
parent	86bdbff94565363a9b53f9c3f48bbef549a61607 (diff)
download	barebox-7da130c068bf2bfd115976054ffeebc4d8e80f0a.tar.gz barebox-7da130c068bf2bfd115976054ffeebc4d8e80f0a.tar.xz