From owner-freebsd-hackers Sun Feb 14 14:42:47 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA20074 for freebsd-hackers-outgoing; Sun, 14 Feb 1999 14:42:47 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA20049; Sun, 14 Feb 1999 14:42:43 -0800 (PST) (envelope-from julian@whistle.com) Received: (from daemon@localhost) by alpo.whistle.com (8.8.5/8.8.5) id OAA16213; Sun, 14 Feb 1999 14:33:21 -0800 (PST) Received: from current1.whistle.com(207.76.205.22) via SMTP by alpo.whistle.com, id smtpdD16211; Sun Feb 14 22:33:14 1999 Date: Sun, 14 Feb 1999 14:33:10 -0800 (PST) From: Julian Elischer To: Matthew Dillon cc: hackers@FreeBSD.ORG, stable@FreeBSD.ORG Subject: Re: Again: sorflush() bug fix in uipc_usrreq.c -- need someone to review this In-Reply-To: <199902142053.MAA07985@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm not convinced that it may not be impossible to get anything but socket fds in the 'hitlist' Since to get on it the fd must be involved in a cyclical reference (see the big comment in prior code). still the check can't hurt.. julian On Sun, 14 Feb 1999, Matthew Dillon wrote: > Nobody but Doug has gotten back to me on this patch, which is in -current > but not currently in stable. Doug indicated that he wasn't very familiar > with the area in question. > > I think it's pretty important that this patch make it into the 3.1 > release but I would like someone familiar with the code to double-check > it. If nobody gets back to me today on it I am going to commit it to > -stable w/ Jordan's permission. > > -Matt > Matthew Dillon > > > > : This fix is currently comitted to -4.x. I don't want to backport it to > : -3.x until I get an independant review. > : > : This code is ( I believe ) part of the message queue flushing for > : typically unix domain sockets, relating to file descriptor passing. > : This code is attempting to flush the in-transit file descriptors when > : both sides of the connection go poof. > : > : The problem ( I believe ) is that it is calling sorflush() potentially > : on non-sockets. While most uses of file descriptor passing pass only > : sockets, if this bug is hit for those uses that do not, it could corrupt > : kernel memory or cause a crash. > : > : I need someone to check the code and tell me I'm not blowing smoke before > : I backport this :-) > : > : -Matt > : Matthew Dillon > : > : > :*** uipc_usrreq.c 1998/10/25 17:44:51 1.37 > :--- uipc_usrreq.c 1999/01/21 08:03:49 > :*************** > :*** 1114,1121 **** > : /* > : * for each FD on our hit list, do the following two things > : */ > :! for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) > :! sorflush((struct socket *)(*fpp)->f_data); > : for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) > : closef(*fpp, (struct proc *) NULL); > : free((caddr_t)extra_ref, M_FILE); > :--- 1114,1124 ---- > : /* > : * for each FD on our hit list, do the following two things > : */ > :! for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) { > :! struct file *tfp = *fpp; > :! if (tfp->f_type == DTYPE_SOCKET && tfp->f_data != NULL) > :! sorflush((struct socket *)(tfp->f_data)); > :! } > : > : > :To Unsubscribe: send mail to majordomo@FreeBSD.org > :with "unsubscribe freebsd-hackers" in the body of the message > : > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message