From owner-freebsd-stable Sun Feb 14 12:53:47 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA07126 for freebsd-stable-outgoing; Sun, 14 Feb 1999 12:53:47 -0800 (PST) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA07108; Sun, 14 Feb 1999 12:53:45 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id MAA07985; Sun, 14 Feb 1999 12:53:44 -0800 (PST) (envelope-from dillon) Date: Sun, 14 Feb 1999 12:53:44 -0800 (PST) From: Matthew Dillon Message-Id: <199902142053.MAA07985@apollo.backplane.com> To: hackers@FreeBSD.ORG, stable@FreeBSD.ORG Subject: Again: sorflush() bug fix in uipc_usrreq.c -- need someone to review this Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Nobody but Doug has gotten back to me on this patch, which is in -current but not currently in stable. Doug indicated that he wasn't very familiar with the area in question. I think it's pretty important that this patch make it into the 3.1 release but I would like someone familiar with the code to double-check it. If nobody gets back to me today on it I am going to commit it to -stable w/ Jordan's permission. -Matt Matthew Dillon : This fix is currently comitted to -4.x. I don't want to backport it to : -3.x until I get an independant review. : : This code is ( I believe ) part of the message queue flushing for : typically unix domain sockets, relating to file descriptor passing. : This code is attempting to flush the in-transit file descriptors when : both sides of the connection go poof. : : The problem ( I believe ) is that it is calling sorflush() potentially : on non-sockets. While most uses of file descriptor passing pass only : sockets, if this bug is hit for those uses that do not, it could corrupt : kernel memory or cause a crash. : : I need someone to check the code and tell me I'm not blowing smoke before : I backport this :-) : : -Matt : Matthew Dillon : : :*** uipc_usrreq.c 1998/10/25 17:44:51 1.37 :--- uipc_usrreq.c 1999/01/21 08:03:49 :*************** :*** 1114,1121 **** : /* : * for each FD on our hit list, do the following two things : */ :! for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) :! sorflush((struct socket *)(*fpp)->f_data); : for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) : closef(*fpp, (struct proc *) NULL); : free((caddr_t)extra_ref, M_FILE); :--- 1114,1124 ---- : /* : * for each FD on our hit list, do the following two things : */ :! for (i = nunref, fpp = extra_ref; --i >= 0; ++fpp) { :! struct file *tfp = *fpp; :! if (tfp->f_type == DTYPE_SOCKET && tfp->f_data != NULL) :! sorflush((struct socket *)(tfp->f_data)); :! } : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-hackers" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message