Hmm, in usr/src/uts/common/fs/hsfs/hsfs_vfsops.c function hs_mountfs(), whenever we use one of the first three |goto cleanup|, the local variables |svp| and |jvp| are uninitialized. That should corrupt the kernel heap when we kmem_free() with an unitialized stack lock pointer in the cleanup section ...
struct hs_volume *svp; /* Supplemental VD for ISO-9660:1999 */ struct hs_volume *jvp; /* Joliet VD */ ... /* * Refuse to go any further if this * device is being used for swapping */ if (IS_SWAPVP(common_specvp(devvp))) { error = EBUSY; goto cleanup; } vap.va_mask = AT_SIZE; if ((error = VOP_GETATTR(devvp, &vap, ATTR_COMM, cr, NULL)) != 0) { cmn_err(CE_NOTE, "Cannot get attributes of the CD-ROM driver"); goto cleanup; } /* * Make sure we have a nonzero size partition. * The current version of the SD driver will *not* fail the open * of such a partition so we have to check for it here. */ if (vap.va_size == 0) { error = ENXIO; goto cleanup; } /* * Init a new hsfs structure. */ fsp = kmem_zalloc(sizeof (*fsp), KM_SLEEP); svp = kmem_zalloc(sizeof (*svp), KM_SLEEP); jvp = kmem_zalloc(sizeof (*jvp), KM_SLEEP); ... cleanup: (void) VOP_CLOSE(devvp, FREAD, 1, (offset_t)0, cr, NULL); VN_RELE(devvp); if (fsp) kmem_free(fsp, sizeof (*fsp)); if (svp) kmem_free(svp, sizeof (*svp)); if (jvp) kmem_free(jvp, sizeof (*jvp)); return (error); _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org