From owner-cvs-all@FreeBSD.ORG  Fri Aug 31 22:29:55 2007
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id ED1F716A41A;
	Fri, 31 Aug 2007 22:29:55 +0000 (UTC) (envelope-from bde@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id DE6BE13C461;
	Fri, 31 Aug 2007 22:29:55 +0000 (UTC) (envelope-from bde@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id l7VMTtWw005340;
	Fri, 31 Aug 2007 22:29:55 GMT (envelope-from bde@repoman.freebsd.org)
Received: (from bde@localhost)
	by repoman.freebsd.org (8.14.1/8.14.1/Submit) id l7VMTtW6005339;
	Fri, 31 Aug 2007 22:29:55 GMT (envelope-from bde)
Message-Id: <200708312229.l7VMTtW6005339@repoman.freebsd.org>
From: Bruce Evans <bde@FreeBSD.org>
Date: Fri, 31 Aug 2007 22:29:55 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Cc: 
Subject: cvs commit: src/sys/fs/msdosfs direntry.h msdosfs_conv.c
 msdosfs_lookup.c msdosfs_vnops.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2007 22:29:56 -0000

bde         2007-08-31 22:29:55 UTC

  FreeBSD src repository

  Modified files:
    sys/fs/msdosfs       direntry.h msdosfs_conv.c 
                         msdosfs_lookup.c msdosfs_vnops.c 
  Log:
  Fix races in msdosfs_lookup() and msdosfs_readdir().  These functions
  can easily block in bread(), and then there was nothing to prevent the
  static buffer (nambuf_{ptr,len,last_id}) being clobbered by another
  thread.
  
  The effects of the bug seem to have been limited to failed lookups and
  mangled names in readdir(), since Giant locking provides enough
  serialization to prevent concurrent calls to the functions that access
  the buffer.  They were very obvious for multiple concurrent tree walks,
  especially with a small cluster size.
  
  The bug was introduced in msdosfs_conv.c 1.34 and associated changes,
  and is in all releases starting with 5.2.
  
  The fix is to allocate the buffer as a local variable and pass around
  pointers to it like "_r" functions in libc do.  Stack use from this
  is large but not too large.  This also fixes a memory leak on module
  unload.
  
  Reviewed by:    kib
  Approved by:    re (kensmith)
  
  Revision  Changes    Path
  1.24      +12 -5     src/sys/fs/msdosfs/direntry.h
  1.53      +35 -41    src/sys/fs/msdosfs/msdosfs_conv.c
  1.51      +9 -9      src/sys/fs/msdosfs/msdosfs_lookup.c
  1.179     +8 -7      src/sys/fs/msdosfs/msdosfs_vnops.c