making crdup()/crcopy() safe??

From: Rick Macklem <rmacklem_at_uoguelph.ca>
Date: Mon, 19 Dec 2011 20:21:45 -0500 (EST)
Hi,

A recent NFS client crash:
  http://glebius.int.ru/tmp/nfs_panic.jpg
appears to have happened because some field is
bogus when crfree() is called. I've asked Gleb
to disassemble crfree() for me, so I can try and
see exactly which field causes the crash, however...

Basically, the code:
   newcred = crdup(cred);
   - does read with newcred
   crfree(newcred);  <-- which crashes at 0x65 into
                         crfree()

Looking at crdup(), it calls crcopy(), which copies
4 pointers and then ref. counts them:
  cr_uidinfo, cr_ruidinfo, cr_prison and cr_loginclass

It seems some lock should be held while crcopy() does this,
so that the pointers don't get deref'd during the copy/ref. count?
(Or is there some rule that guarantees these won't change. ie. No
 no calls to change_euid() or similar.)

Is there such a lock and should crdup() use it?

Thanks in advance for any info, rick
Received on Tue Dec 20 2011 - 00:21:46 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:22 UTC