From owner-svn-src-stable@FreeBSD.ORG  Wed Feb  6 18:30:54 2013
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id EF651A76;
 Wed,  6 Feb 2013 18:30:54 +0000 (UTC) (envelope-from mav@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id E1366FB2;
 Wed,  6 Feb 2013 18:30:54 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r16IUsY5016932;
 Wed, 6 Feb 2013 18:30:54 GMT (envelope-from mav@svn.freebsd.org)
Received: (from mav@localhost)
 by svn.freebsd.org (8.14.5/8.14.5/Submit) id r16IUslq016923;
 Wed, 6 Feb 2013 18:30:54 GMT (envelope-from mav@svn.freebsd.org)
Message-Id: <201302061830.r16IUslq016923@svn.freebsd.org>
From: Alexander Motin <mav@FreeBSD.org>
Date: Wed, 6 Feb 2013 18:30:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject: svn commit: r246426 - stable/9/sys/cam/ctl
X-SVN-Group: stable-9
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 18:30:55 -0000

Author: mav
Date: Wed Feb  6 18:30:53 2013
New Revision: 246426
URL: http://svnweb.freebsd.org/changeset/base/246426

Log:
  MFC r240948 (by trasz):
  Fix panic in CTL caused by trying to free invalid pointers passed
  by the userland process via the IOCTL interface.

Modified:
  stable/9/sys/cam/ctl/ctl.c
Directory Properties:
  stable/9/sys/   (props changed)

Modified: stable/9/sys/cam/ctl/ctl.c
==============================================================================
--- stable/9/sys/cam/ctl/ctl.c	Wed Feb  6 18:22:52 2013	(r246425)
+++ stable/9/sys/cam/ctl/ctl.c	Wed Feb  6 18:30:53 2013	(r246426)
@@ -2075,6 +2075,11 @@ ctl_copyin_args(int num_be_args, struct 
 		goto bailout;
 
 	for (i = 0; i < num_be_args; i++) {
+		args[i].kname = NULL;
+		args[i].kvalue = NULL;
+	}
+
+	for (i = 0; i < num_be_args; i++) {
 		uint8_t *tmpptr;
 
 		args[i].kname = ctl_copyin_alloc(args[i].name,