From owner-svn-src-stable@FreeBSD.ORG  Fri Mar  7 16:43:09 2014
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6F528831;
 Fri,  7 Mar 2014 16:43:09 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3F53F314;
 Fri,  7 Mar 2014 16:43:09 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s27Gh9qF037412;
 Fri, 7 Mar 2014 16:43:09 GMT (envelope-from jilles@svn.freebsd.org)
Received: (from jilles@localhost)
 by svn.freebsd.org (8.14.8/8.14.8/Submit) id s27Gh9Px037411;
 Fri, 7 Mar 2014 16:43:09 GMT (envelope-from jilles@svn.freebsd.org)
Message-Id: <201403071643.s27Gh9Px037411@svn.freebsd.org>
From: Jilles Tjoelker <jilles@FreeBSD.org>
Date: Fri, 7 Mar 2014 16:43:09 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r262892 - stable/10/lib/libc/gen
X-SVN-Group: stable-10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2014 16:43:09 -0000

Author: jilles
Date: Fri Mar  7 16:43:08 2014
New Revision: 262892
URL: http://svnweb.freebsd.org/changeset/base/262892

Log:
  MFC r261859: fts: Fix double-free with conflicting concurrent modifications.
  
  If rare conditions such as concurrent conflicting manipulation of the
  filesystem occur, fts_read() frees the current FTSENT without adjusting
  the pointers in the FTS accordingly. A later fts_close() then frees the
  same FTSENT again.

Modified:
  stable/10/lib/libc/gen/fts.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/lib/libc/gen/fts.c
==============================================================================
--- stable/10/lib/libc/gen/fts.c	Fri Mar  7 16:14:51 2014	(r262891)
+++ stable/10/lib/libc/gen/fts.c	Fri Mar  7 16:43:08 2014	(r262892)
@@ -406,8 +406,6 @@ fts_read(FTS *sp)
 	/* Move to the next node on this level. */
 next:	tmp = p;
 	if ((p = p->fts_link) != NULL) {
-		free(tmp);
-
 		/*
 		 * If reached the top, return to the original directory (or
 		 * the root of the tree), and load the paths for the next root.
@@ -417,6 +415,7 @@ next:	tmp = p;
 				SET(FTS_STOP);
 				return (NULL);
 			}
+			free(tmp);
 			fts_load(sp, p);
 			return (sp->fts_cur = p);
 		}
@@ -426,8 +425,10 @@ next:	tmp = p;
 		 * ignore.  If followed, get a file descriptor so we can
 		 * get back if necessary.
 		 */
-		if (p->fts_instr == FTS_SKIP)
+		if (p->fts_instr == FTS_SKIP) {
+			free(tmp);
 			goto next;
+		}
 		if (p->fts_instr == FTS_FOLLOW) {
 			p->fts_info = fts_stat(sp, p, 1);
 			if (p->fts_info == FTS_D && !ISSET(FTS_NOCHDIR)) {
@@ -441,6 +442,8 @@ next:	tmp = p;
 			p->fts_instr = FTS_NOINSTR;
 		}
 
+		free(tmp);
+
 name:		t = sp->fts_path + NAPPEND(p->fts_parent);
 		*t++ = '/';
 		memmove(t, p->fts_name, p->fts_namelen + 1);
@@ -449,13 +452,13 @@ name:		t = sp->fts_path + NAPPEND(p->fts
 
 	/* Move up to the parent node. */
 	p = tmp->fts_parent;
-	free(tmp);
 
 	if (p->fts_level == FTS_ROOTPARENTLEVEL) {
 		/*
 		 * Done; free everything up and set errno to 0 so the user
 		 * can distinguish between error and EOF.
 		 */
+		free(tmp);
 		free(p);
 		errno = 0;
 		return (sp->fts_cur = NULL);
@@ -488,6 +491,7 @@ name:		t = sp->fts_path + NAPPEND(p->fts
 		SET(FTS_STOP);
 		return (NULL);
 	}
+	free(tmp);
 	p->fts_info = p->fts_errno ? FTS_ERR : FTS_DP;
 	return (sp->fts_cur = p);
 }