>Number:         10278
>Category:       kern
>Synopsis:       kernfs may hang kernel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 04 08:54:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     IWAMOTO Toshihiro
>Release:        2 days old -current
>Organization:
	
>Environment:
	
System: NetBSD 1.4Z i386


>Description:
	kernfs_getattr goes to an infinite loop if attributes of
	/kern/msgbuf is requested and the kernel msgbuf is broken.
	An infinite loop also happens if the hostname is 256-bytes
	long and attributes of /kern/hostname is requested.

	This happens because kernfs_getattr calls kernfs_xread in
	a loop until it returns 0 (around line 498 of kernfs_vnops.c),
	and kernfs_xread repeatedly returns non-zero values as error
	codes in the above situations.
	

>How-To-Repeat:
	build a kernel with a broken msgbuf or set its hostname
	to 256-bytes long, and do "ls -l /kern"
>Fix:
	The following code should work around the problem.
	I don't know if better error handling is necessary.

--- kernfs_vnops.c.orig Thu Aug 26 07:54:17 1999
+++ kernfs_vnops.c      Mon Jun  5 00:40:50 2000
@@ -234,7 +234,7 @@
                 */
                if (!msgbufenabled || msgbufp->msg_magic != MSG_MAGIC) {
                        msgbufenabled = 0;
-                       return (ENXIO);
+                       return (0);
                }

                /*
@@ -261,7 +261,7 @@
                int xlen = hostnamelen;

                if (xlen >= (len-2))
-                       return (EINVAL);
+                       return (0);

                memcpy(*bufp, cp, xlen);
                (*bufp)[xlen] = '\n';
>Release-Note:
>Audit-Trail:
>Unformatted: