From: Colin Walters <walters@verbum.org>
Date: Thu, 23 Feb 2017 14:40:17 +0000 (-0500)
Subject: deploy: Correctly use libmount unref() calls rather than free()
X-Git-Tag: archive/raspbian/2022.1-3+rpi1~1^2~4^2~40^2~22
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=0817be61a17cc8b770cad54196182ac9c3109caf;p=ostree.git

deploy: Correctly use libmount unref() calls rather than free()

We saw a random ostree SEGV start popping up in our CI environment:
https://github.com/projectatomic/rpm-ostree/pull/641#issuecomment-281870424

Looking at this code more and comparing it to what util-linux does, I noticed we
had a write-after-free, since `mnt_unref_table()` will invoke
`mnt_unref_cache()` on its cache, and that function does:

```
	if (cache) {
		cache->rfcount--;
```

unconditionally.

Fix this by using `unref()`.

Closes: #705
Approved by: jlebon
---

diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index cb5a4615..5a3f6d85 100644
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -1692,8 +1692,8 @@ is_ro_mount (const char *path)
 
   fs = mnt_table_find_target(tb, path, MNT_ITER_BACKWARD);
   is_mount = fs && mnt_fs_get_target (fs);
-  mnt_free_cache (cache);
-  mnt_free_table (tb);
+  mnt_unref_cache (cache);
+  mnt_unref_table (tb);
 
   if (!is_mount)
     return FALSE;