Date: Mon, 19 Dec 2011 20:21:45 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: freebsd-current@freebsd.org Subject: making crdup()/crcopy() safe?? Message-ID: <261812530.427572.1324344105125.JavaMail.root@erie.cs.uoguelph.ca>
next in thread | raw e-mail | index | archive | help
Hi, A recent NFS client crash: http://glebius.int.ru/tmp/nfs_panic.jpg appears to have happened because some field is bogus when crfree() is called. I've asked Gleb to disassemble crfree() for me, so I can try and see exactly which field causes the crash, however... Basically, the code: newcred = crdup(cred); - does read with newcred crfree(newcred); <-- which crashes at 0x65 into crfree() Looking at crdup(), it calls crcopy(), which copies 4 pointers and then ref. counts them: cr_uidinfo, cr_ruidinfo, cr_prison and cr_loginclass It seems some lock should be held while crcopy() does this, so that the pointers don't get deref'd during the copy/ref. count? (Or is there some rule that guarantees these won't change. ie. No no calls to change_euid() or similar.) Is there such a lock and should crdup() use it? Thanks in advance for any info, rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?261812530.427572.1324344105125.JavaMail.root>