Date: Fri, 31 Aug 2007 22:29:55 +0000 (UTC) From: Bruce Evans <bde@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/fs/msdosfs direntry.h msdosfs_conv.c msdosfs_lookup.c msdosfs_vnops.c Message-ID: <200708312229.l7VMTtW6005339@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
bde 2007-08-31 22:29:55 UTC FreeBSD src repository Modified files: sys/fs/msdosfs direntry.h msdosfs_conv.c msdosfs_lookup.c msdosfs_vnops.c Log: Fix races in msdosfs_lookup() and msdosfs_readdir(). These functions can easily block in bread(), and then there was nothing to prevent the static buffer (nambuf_{ptr,len,last_id}) being clobbered by another thread. The effects of the bug seem to have been limited to failed lookups and mangled names in readdir(), since Giant locking provides enough serialization to prevent concurrent calls to the functions that access the buffer. They were very obvious for multiple concurrent tree walks, especially with a small cluster size. The bug was introduced in msdosfs_conv.c 1.34 and associated changes, and is in all releases starting with 5.2. The fix is to allocate the buffer as a local variable and pass around pointers to it like "_r" functions in libc do. Stack use from this is large but not too large. This also fixes a memory leak on module unload. Reviewed by: kib Approved by: re (kensmith) Revision Changes Path 1.24 +12 -5 src/sys/fs/msdosfs/direntry.h 1.53 +35 -41 src/sys/fs/msdosfs/msdosfs_conv.c 1.51 +9 -9 src/sys/fs/msdosfs/msdosfs_lookup.c 1.179 +8 -7 src/sys/fs/msdosfs/msdosfs_vnops.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708312229.l7VMTtW6005339>