From owner-freebsd-current Fri Jul 7 11:23:37 2000 Delivered-To: freebsd-current@freebsd.org Received: from mail-relay.eunet.no (mail-relay.eunet.no [193.71.71.242]) by hub.freebsd.org (Postfix) with ESMTP id 7B89D37C498 for ; Fri, 7 Jul 2000 11:22:52 -0700 (PDT) (envelope-from mbendiks@eunet.no) Received: from login-1.eunet.no (login-1.eunet.no [193.75.110.2]) by mail-relay.eunet.no (8.9.3/8.9.3/GN) with ESMTP id UAA90303 for ; Fri, 7 Jul 2000 20:22:48 +0200 (CEST) (envelope-from mbendiks@eunet.no) Received: from localhost (mbendiks@localhost) by login-1.eunet.no (8.9.3/8.8.8) with ESMTP id UAA75041 for ; Fri, 7 Jul 2000 20:22:48 +0200 (CEST) (envelope-from mbendiks@eunet.no) X-Authentication-Warning: login-1.eunet.no: mbendiks owned process doing -bs Date: Fri, 7 Jul 2000 20:22:48 +0200 (CEST) From: Marius Bendiksen To: current@freebsd.org Subject: OpenBSD errata 008 also applies to FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG It appears msdosfs is using a vnode after having released its reference on it, which could lead to a bad things under high load. I've patched the OpenBSD errata to apply cleanly to FreeBSD. --- msdosfs_vnops.c.orig Mon Jun 26 06:10:40 2000 +++ msdosfs_vnops.c Mon Jun 26 07:10:17 2000 @@ -1095,9 +1095,9 @@ newparent = 1; vrele(fdvp); if (doingdirectory && newparent) { if (error) /* write access check above */ - goto bad; + goto bad1; if (xp != NULL) vput(tvp); /* * doscheckpath() vput()'s dp, @@ -1123,22 +1123,22 @@ */ if (xp->de_Attributes & ATTR_DIRECTORY) { if (!dosdirempty(xp)) { error = ENOTEMPTY; - goto bad; + goto bad1; } if (!doingdirectory) { error = ENOTDIR; - goto bad; + goto bad1; } cache_purge(tdvp); } else if (doingdirectory) { error = EISDIR; - goto bad; + goto bad1; } error = removede(dp, xp); if (error) - goto bad; + goto bad1; vput(tvp); xp = NULL; } @@ -1148,9 +1148,9 @@ * file/directory. */ error = uniqdosname(VTODE(tdvp), tcnp, toname); if (error) - goto abortit; + goto bad1; /* * Since from wasn't locked at various places above, * have to do a relookup here. @@ -1189,9 +1189,8 @@ if (xp != ip) { if (doingdirectory) panic("rename: lost dir entry"); vrele(ap->a_fvp); - VOP_UNLOCK(fvp, 0, p); if (newparent) VOP_UNLOCK(fdvp, 0, p); xp = NULL; } else { @@ -1214,9 +1213,8 @@ if (error) { bcopy(oldname, ip->de_Name, 11); if (newparent) VOP_UNLOCK(fdvp, 0, p); - VOP_UNLOCK(fvp, 0, p); goto bad; } ip->de_refcnt++; zp->de_fndoffset = from_diroffset; @@ -1224,9 +1222,8 @@ if (error) { /* XXX should really panic here, fs is corrupt */ if (newparent) VOP_UNLOCK(fdvp, 0, p); - VOP_UNLOCK(fvp, 0, p); goto bad; } if (!doingdirectory) { error = pcbmap(dp, de_cluster(pmp, to_diroffset), 0, @@ -1234,9 +1231,8 @@ if (error) { /* XXX should really panic here, fs is corrupt */ if (newparent) VOP_UNLOCK(fdvp, 0, p); - VOP_UNLOCK(fvp, 0, p); goto bad; } if (ip->de_dirclust == MSDOSFSROOT) ip->de_diroffset = to_diroffset; @@ -1263,9 +1259,8 @@ NOCRED, &bp); if (error) { /* XXX should really panic here, fs is corrupt */ brelse(bp); - VOP_UNLOCK(fvp, 0, p); goto bad; } dotdotp = (struct direntry *)bp->b_data + 1; putushort(dotdotp->deStartCluster, dp->de_StartCluster); @@ -1273,21 +1268,21 @@ putushort(dotdotp->deHighClust, dp->de_StartCluster >> 16); error = bwrite(bp); if (error) { /* XXX should really panic here, fs is corrupt */ - VOP_UNLOCK(fvp, 0, p); goto bad; } } - VOP_UNLOCK(fvp, 0, p); bad: + VOP_UNLOCK(fvp, 0, p); + vrele(fdvp); +bad1: if (xp) vput(tvp); vput(tdvp); out: ip->de_flag &= ~DE_RENAME; - vrele(fdvp); vrele(fvp); return (error); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message