> Message-Id: <199912140147.MAA10537@balrog.supp.cpr.itg.telecom.com.au>
> From: Simon Burge <simonb@netbsd.org>
> To: tech-kern@netbsd.org
> Subject: Uninitialised variable in ffs_mount()?
> Date: Tue, 14 Dec 1999 12:47:55 +1100
> Sender: tech-kern-owner@netbsd.org
> Precedence: list
> Delivered-To: tech-kern@netbsd.org
> 
> Folks,
> 
> In ufs/ffs/ffs_vfsops.c:ffs_mount(), "fs" is only initialised in the
> block starting:
> 
> 	if (mp->mnt_flag & MNT_UPDATE) {
> 
> but is referenced in a block starting:
> 
> 	if ((mp->mnt_flag & MNT_UPDATE) == 0) {
> 
> at line 239 in version 1.56.  

that's not what i have at line 239..

line 285, maybe..

> This looks like it could panic with a
> null pointer reference if a softdep enabled filesystem is mounted
> asynchronously.  It looks like it's as simple as moving
> 
> 	ump = VFSTOUFS(mp);
> 	fs = ump->um_fs;
> 
> to before line 295 (or better is deleting those two altogether and
> moving the similar lines at line 189 before the first "if") but I don't
> want to mess with areas I don't know about...  Anyone want to look into
> this (or tell me if my analysis is flawed)?

I agree that this is a problem; however, fs->fs_fsmnt isn't valid in
the "new mount" case until the copyinstr() on line 306.  (and I think
VFSTOUFS(mp) won't work until the ffs_mountfs is done).

ick.

Frank?  do you see any better solution?

					- Bill