diff options
| author | davide <davide@FreeBSD.org> | 2012-10-31 03:34:07 +0000 |
|---|---|---|
| committer | davide <davide@FreeBSD.org> | 2012-10-31 03:34:07 +0000 |
| commit | 793cdde76e978e65ad5e743e35dbe3a92b381e90 (patch) | |
| tree | 0c92e4f2f9c4d973dcd0bbeb244ef685f1342ee1 /sys/netsmb/smb_usr.c | |
| parent | a7cdc19e4b4ea767e597c3017133326b0697bd0d (diff) | |
| download | FreeBSD-src-793cdde76e978e65ad5e743e35dbe3a92b381e90.zip FreeBSD-src-793cdde76e978e65ad5e743e35dbe3a92b381e90.tar.gz | |
Fix panic due to page faults while in kernel mode, under conditions of
VM pressure. The reason is that in some codepaths pointers to stack
variables were passed from one thread to another.
In collaboration with: pho
Reported by: pho's stress2 suite
Sponsored by: iXsystems inc.
Diffstat (limited to 'sys/netsmb/smb_usr.c')
| -rw-r--r-- | sys/netsmb/smb_usr.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/sys/netsmb/smb_usr.c b/sys/netsmb/smb_usr.c index b538807..6c3e6b1 100644 --- a/sys/netsmb/smb_usr.c +++ b/sys/netsmb/smb_usr.c @@ -127,8 +127,8 @@ smb_usr_lookup(struct smbioc_lookup *dp, struct smb_cred *scred, struct smb_vc **vcpp, struct smb_share **sspp) { struct smb_vc *vcp = NULL; - struct smb_vcspec vspec; - struct smb_sharespec sspec, *sspecp = NULL; + struct smb_vcspec vspec; /* XXX */ + struct smb_sharespec sspec, *sspecp = NULL; /* XXX */ int error; if (dp->ioc_level < SMBL_VC || dp->ioc_level > SMBL_SHARE) @@ -212,7 +212,7 @@ int smb_usr_simplerequest(struct smb_share *ssp, struct smbioc_rq *dp, struct smb_cred *scred) { - struct smb_rq rq, *rqp = &rq; + struct smb_rq *rqp; struct mbchain *mbp; struct mdchain *mdp; u_int8_t wc; @@ -231,9 +231,12 @@ smb_usr_simplerequest(struct smb_share *ssp, struct smbioc_rq *dp, case SMB_COM_TREE_CONNECT_ANDX: return EPERM; } + rqp = malloc(sizeof(struct smb_rq), M_SMBTEMP, M_WAITOK); error = smb_rq_init(rqp, SSTOCP(ssp), dp->ioc_cmd, scred); - if (error) + if (error) { + free(rqp, M_SMBTEMP); return error; + } mbp = &rqp->sr_rq; smb_rq_wstart(rqp); error = mb_put_mem(mbp, dp->ioc_twords, dp->ioc_twc * 2, MB_MUSER); @@ -271,6 +274,7 @@ bad: dp->ioc_serror = rqp->sr_serror; dp->ioc_error = rqp->sr_error; smb_rq_done(rqp); + free(rqp, M_SMBTEMP); return error; } @@ -292,15 +296,18 @@ int smb_usr_t2request(struct smb_share *ssp, struct smbioc_t2rq *dp, struct smb_cred *scred) { - struct smb_t2rq t2, *t2p = &t2; + struct smb_t2rq *t2p; struct mdchain *mdp; int error, len; if (dp->ioc_setupcnt > 3) return EINVAL; + t2p = malloc(sizeof(struct smb_t2rq), M_SMBTEMP, M_WAITOK); error = smb_t2_init(t2p, SSTOCP(ssp), dp->ioc_setup[0], scred); - if (error) + if (error) { + free(t2p, M_SMBTEMP); return error; + } len = t2p->t2_setupcount = dp->ioc_setupcnt; if (len > 1) t2p->t2_setupdata = dp->ioc_setup; @@ -351,5 +358,6 @@ bad: if (t2p->t_name) smb_strfree(t2p->t_name); smb_t2_done(t2p); + free(t2p, M_SMBTEMP); return error; } |
