Date: Sun, 14 Feb 1999 12:53:44 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: hackers@FreeBSD.ORG, stable@FreeBSD.ORG Subject: Again: sorflush() bug fix in uipc_usrreq.c -- need someone to review this Message-ID: <199902142053.MAA07985@apollo.backplane.com>
next in thread | raw e-mail | index | archive | help
Nobody but Doug has gotten back to me on this patch, which is in -current
but not currently in stable. Doug indicated that he wasn't very familiar
with the area in question.
I think it's pretty important that this patch make it into the 3.1
release but I would like someone familiar with the code to double-check
it. If nobody gets back to me today on it I am going to commit it to
-stable w/ Jordan's permission.
-Matt
Matthew Dillon
<dillon@backplane.com>
: This fix is currently comitted to -4.x. I don't want to backport it to
: -3.x until I get an independant review.
:
: This code is ( I believe ) part of the message queue flushing for
: typically unix domain sockets, relating to file descriptor passing.
: This code is attempting to flush the in-transit file descriptors when
: both sides of the connection go poof.
:
: The problem ( I believe ) is that it is calling sorflush() potentially
: on non-sockets. While most uses of file descriptor passing pass only
: sockets, if this bug is hit for those uses that do not, it could corrupt
: kernel memory or cause a crash.
:
: I need someone to check the code and tell me I'm not blowing smoke before
: I backport this :-)
:
: -Matt
: Matthew Dillon
: <dillon@backplane.com>
:
:*** uipc_usrreq.c 1998/10/25 17:44:51 1.37
:--- uipc_usrreq.c 1999/01/21 08:03:49
:***************
:*** 1114,1121 ****
: /*
: * for each FD on our hit list, do the following two things
: */
:! for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp)
:! sorflush((struct socket *)(*fpp)->f_data);
: for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp)
: closef(*fpp, (struct proc *) NULL);
: free((caddr_t)extra_ref, M_FILE);
:--- 1114,1124 ----
: /*
: * for each FD on our hit list, do the following two things
: */
:! for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) {
:! struct file *tfp = *fpp;
:! if (tfp->f_type == DTYPE_SOCKET && tfp->f_data != NULL)
:! sorflush((struct socket *)(tfp->f_data));
:! }
:
:
:To Unsubscribe: send mail to majordomo@FreeBSD.org
:with "unsubscribe freebsd-hackers" in the body of the message
:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902142053.MAA07985>