FS shell: VFS use after free error

[jscipione]

In the VFS subsystem CID is reporting that we have several cases where we are using a pointer after freeing it. See attached CID report for more details I believe this is caused by vnode_path_to_vnode() decrementing the ref_count of the vnode freeing it before it was expected.

[jscipione]

CID 702320 and 1397511 USE_AFTER_FREE

[jscipione]

Patch which increments vnode ref_count before calling vnode_path_to_vnode()

[jscipione]

Perhaps a better way to fix this would be to rewrite vnode_path_to_vnode() to not decrement the ref_count of the passed in vnode anymore.

[bonefish]

Please note that the code in question is a fork of an earlier version of the kernel code. Without having looked into the issues in question, an option other than to fix the bugs in this implementation could be to update the code to the current version (respectively port the changes since the last update).

[jscipione]

Does hrev52646 have an effect on this ticket or does it at least reveal the real bug culprit? Asking because this bug has to do with the vfs subsystem and ref_count being wrong causing use after free errors.

[waddlesplash]

Uh, neither; this ticket is about the VFS shell, which uses a copy of the VFS code and hasn't been touched in quite a while.