Bug#78364: hurd: lookup for names > diskfs_name_max kills filesystem

[Marcus . Brinkmann]

Package: hurd
Version: N/A
Severity: normal

Hi,

touch [ALT+256] x

crashes the filesystem. Further debugging showed that the crash happens
immediately after diskfs_S_dir_lookup is called, in the destructor.
The destuctor for dir_lookup is in libdiskfs/priv.h, it is:

extern inline void
end_using_protid_port (struct protid *cred)
{
  if (cred)
    ports_port_deref (cred);
}

The crash happens in ports_port_deref, when trying to derefence pi, which is
just cred but interpreted as a pointer to a struct port_info.

Now, that's weird. It crashes with E_BAD_ACCESS in ports_port_deref, because
it can't access the memory at cred. I verified that in _Xdir_lookup

        start_dir = begin_using_protid_port(In0P->Head.msgh_request_port);

        OutP->RetCode = diskfs_S_dir_lookup(start_dir, In0P->file_name, 
In0P->flags, In0P->mode, &OutP->do_retry, OutP->retry_name, &OutP->result, 
&resultPoly);
        end_using_protid_port(start_dir);

the value of start_dir isn't mangled (wouldn't make sense anyway).
It is the same for diskfs_S_dir_lookup as for end_using_protid_port.
Maybe the memory at this location is accidently freed? How could this
happen? I single stepped through diskfs_S_dir_lookup and diskfs_lookup,
without seeing anything special.

Any hints appreciated,
Marcus


-- System Information
Debian Release: 2.2
Kernel Version: Linux ulysses 2.4.0-test9 #1 Mon Okt 30 20:36:05 CET 2000 i686 
unknown