Date: Fri, 31 Aug 2007 22:29:55 +0000 (UTC) From: Bruce Evans <bde@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/fs/msdosfs direntry.h msdosfs_conv.c msdosfs_lookup.c msdosfs_vnops.c Message-ID: <200708312229.l7VMTtW6005339@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
bde 2007-08-31 22:29:55 UTC
FreeBSD src repository
Modified files:
sys/fs/msdosfs direntry.h msdosfs_conv.c
msdosfs_lookup.c msdosfs_vnops.c
Log:
Fix races in msdosfs_lookup() and msdosfs_readdir(). These functions
can easily block in bread(), and then there was nothing to prevent the
static buffer (nambuf_{ptr,len,last_id}) being clobbered by another
thread.
The effects of the bug seem to have been limited to failed lookups and
mangled names in readdir(), since Giant locking provides enough
serialization to prevent concurrent calls to the functions that access
the buffer. They were very obvious for multiple concurrent tree walks,
especially with a small cluster size.
The bug was introduced in msdosfs_conv.c 1.34 and associated changes,
and is in all releases starting with 5.2.
The fix is to allocate the buffer as a local variable and pass around
pointers to it like "_r" functions in libc do. Stack use from this
is large but not too large. This also fixes a memory leak on module
unload.
Reviewed by: kib
Approved by: re (kensmith)
Revision Changes Path
1.24 +12 -5 src/sys/fs/msdosfs/direntry.h
1.53 +35 -41 src/sys/fs/msdosfs/msdosfs_conv.c
1.51 +9 -9 src/sys/fs/msdosfs/msdosfs_lookup.c
1.179 +8 -7 src/sys/fs/msdosfs/msdosfs_vnops.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708312229.l7VMTtW6005339>