From owner-svn-src-all@FreeBSD.ORG Mon Sep 30 17:35:48 2013 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D3E53CBF; Mon, 30 Sep 2013 17:35:48 +0000 (UTC) (envelope-from jmg@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A5FC3275C; Mon, 30 Sep 2013 17:35:48 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8UHZmHi014698; Mon, 30 Sep 2013 17:35:48 GMT (envelope-from jmg@svn.freebsd.org) Received: (from jmg@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8UHZmp5014697; Mon, 30 Sep 2013 17:35:48 GMT (envelope-from jmg@svn.freebsd.org) Message-Id: <201309301735.r8UHZmp5014697@svn.freebsd.org> From: John-Mark Gurney Date: Mon, 30 Sep 2013 17:35:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r255950 - stable/8/sys/fs/cd9660 X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Sep 2013 17:35:48 -0000 Author: jmg Date: Mon Sep 30 17:35:48 2013 New Revision: 255950 URL: http://svnweb.freebsd.org/changeset/base/255950 Log: MFC: r255866, r255867 fix a bug where we access a bread buffer after we have brelse'd it... The kernel normally didn't unmap/context switch away before we accessed the buffer most of the time, but under heavy I/O pressure and lots of mount/unmounting this would cause a fault on nofault panic... NULL stale pointers (should be a no-op as they should no longer be used)... Modified: stable/8/sys/fs/cd9660/cd9660_vfsops.c Directory Properties: stable/8/sys/ (props changed) stable/8/sys/fs/ (props changed) Modified: stable/8/sys/fs/cd9660/cd9660_vfsops.c ============================================================================== --- stable/8/sys/fs/cd9660/cd9660_vfsops.c Mon Sep 30 17:23:45 2013 (r255949) +++ stable/8/sys/fs/cd9660/cd9660_vfsops.c Mon Sep 30 17:35:48 2013 (r255950) @@ -369,6 +369,9 @@ iso_mountfs(devvp, mp) pribp->b_flags |= B_AGE; brelse(pribp); pribp = NULL; + rootp = NULL; + pri = NULL; + pri_sierra = NULL; mp->mnt_data = isomp; mp->mnt_stat.f_fsid.val[0] = dev2udev(dev); @@ -391,11 +394,11 @@ iso_mountfs(devvp, mp) /* Check the Rock Ridge Extension support */ if (!(isomp->im_flags & ISOFSMNT_NORRIP)) { - if ((error = bread(isomp->im_devvp, - (isomp->root_extent + isonum_711(rootp->ext_attr_length)) << - (isomp->im_bshift - DEV_BSHIFT), - isomp->logical_block_size, NOCRED, &bp)) != 0) - goto out; + if ((error = bread(isomp->im_devvp, (isomp->root_extent + + isonum_711(((struct iso_directory_record *)isomp->root)-> + ext_attr_length)) << (isomp->im_bshift - DEV_BSHIFT), + isomp->logical_block_size, NOCRED, &bp)) != 0) + goto out; rootp = (struct iso_directory_record *)bp->b_data; @@ -412,6 +415,7 @@ iso_mountfs(devvp, mp) bp->b_flags |= B_AGE; brelse(bp); bp = NULL; + rootp = NULL; } if (isomp->im_flags & ISOFSMNT_KICONV && cd9660_iconv) { @@ -466,6 +470,7 @@ iso_mountfs(devvp, mp) if (supbp) { brelse(supbp); supbp = NULL; + sup = NULL; } return 0;