Re: [osol-discuss] [ufs-discuss] PANIC! mounting cdrom slice on b78

Mon, 16 Jun 2008 13:48:31 -0700 

I filed a bug at http://bugs.opensolaris.org/;
Bug-ID is not yet known.

Fix is obvious:

diff --git a/usr/src/uts/common/fs/hsfs/hsfs_vfsops.c 
b/usr/src/uts/common/fs/hsfs/hsfs_vfsops.c
--- a/usr/src/uts/common/fs/hsfs/hsfs_vfsops.c
+++ b/usr/src/uts/common/fs/hsfs/hsfs_vfsops.c
@@ -596,8 +596,8 @@ hs_mountfs(
        size_t          pathbufsz = strlen(path) + 1;
        int             redo_rootvp;
 
-       struct hs_volume *svp;          /* Supplemental VD for ISO-9660:1999 */
-       struct hs_volume *jvp;          /* Joliet VD */
+       struct hs_volume *svp = NULL;   /* Supplemental VD for ISO-9660:1999 */
+       struct hs_volume *jvp = NULL;   /* Joliet VD */
 
        /*
         * The rules for which extension will be used are:


> Hmm, in usr/src/uts/common/fs/hsfs/hsfs_vfsops.c function hs_mountfs(),
> whenever we use one of the first three |goto cleanup|,  the local variables
> |svp| and |jvp| are uninitialized.  That should corrupt the kernel heap
> when we kmem_free() with an unitialized stack lock pointer in the
> cleanup section ...
> 
> 
> 
>         struct hs_volume *svp;          /* Supplemental VD for ISO-9660:1999 
*/
>         struct hs_volume *jvp;          /* Joliet VD */
> 
> ...
> 
>       /*
>          * Refuse to go any further if this
>          * device is being used for swapping
>          */
>         if (IS_SWAPVP(common_specvp(devvp))) {
>               error = EBUSY;
>                 goto cleanup;
>       }
> 
>       vap.va_mask = AT_SIZE;
>         if ((error = VOP_GETATTR(devvp, &vap, ATTR_COMM, cr, NULL)) != 0) {
>               cmn_err(CE_NOTE, "Cannot get attributes of the CD-ROM driver");
>                 goto cleanup;
>       }
> 
>       /*
>          * Make sure we have a nonzero size partition.
>          * The current version of the SD driver will *not* fail the open
>          * of such a partition so we have to check for it here.
>          */
>         if (vap.va_size == 0) {
>               error = ENXIO;
>                 goto cleanup;
>       }
>       
>         /*
>          * Init a new hsfs structure.
>          */
>         fsp = kmem_zalloc(sizeof (*fsp), KM_SLEEP);
>         svp = kmem_zalloc(sizeof (*svp), KM_SLEEP);
>         jvp = kmem_zalloc(sizeof (*jvp), KM_SLEEP);
> 
> ...
> 
> 
> cleanup:
>         (void) VOP_CLOSE(devvp, FREAD, 1, (offset_t)0, cr, NULL);
>         VN_RELE(devvp);
>         if (fsp)
>               kmem_free(fsp, sizeof (*fsp));
>       if (svp)
>               kmem_free(svp, sizeof (*svp));
>       if (jvp)
>               kmem_free(jvp, sizeof (*jvp));
>       return (error);
> 

_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org

Reply via email to