From owner-freebsd-current  Thu Oct 10 17:13:52 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id RAA27930
          for current-outgoing; Thu, 10 Oct 1996 17:13:52 -0700 (PDT)
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id RAA27914;
          Thu, 10 Oct 1996 17:13:13 -0700 (PDT)
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <15129(7)>; Thu, 10 Oct 1996 17:12:36 PDT
Received: from localhost by crevenia.parc.xerox.com with SMTP id <177476>; Thu, 10 Oct 1996 17:12:24 -0700
To: Karl Denninger <karl@mcs.net>
cc: fenner@parc.xerox.com (Bill Fenner), current@freebsd.org,
        hackers@freebsd.org, pst@jnx.com
Subject: Re: Crash in -current (and fix) - plus NEW issue! 
In-reply-to: Your message of "Thu, 10 Oct 96 16:47:04 PDT."
             <199610102347.SAA16950@Jupiter.Mcs.Net> 
Date: Thu, 10 Oct 1996 17:12:20 PDT
From: Bill Fenner <fenner@parc.xerox.com>
Message-Id: <96Oct10.171224pdt.177476@crevenia.parc.xerox.com>
Sender: owner-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <199610102347.SAA16950@Jupiter.Mcs.Net> you write:
>>From what I can see of the code the following fragment looked safe:
>
>sofree(so2);
>so2=sonewconn(so, 0);

I think this will leave the socket on the incomplete connections queue.
tcp_drop() already tries to free the socket, but sofree() refuses since
so_flags has SS_NOFDREF set.  This means that it will still take up
a queue slot even though that's exactly what we're trying to avoid.

I think my suggested fix is:

                                if (so2) {
                                    so2->so_flags &= ~SS_NOFDREF;
                                    tcp_drop(sototcpcb(so2), ETIMEDOUT);
                                    so2 = sonewconn(so, 0);
                                    if (so2 == 0)       /* can't happen? */
                                        goto drop;
                                } else
                                    goto drop;

Turning off SS_NOFDREF will let tcp_drop free the socket, and you check
to make absolutely sure that sonewconn() gave you something.

>So I inserted that in the appropriate place...  We'll see what happens; I'm
>running that test kernel now on the machine which was blowing up.

I think it'll still blow up; since sofree() doesn't actually free the
socket (or remove it from the lists), the so2=sonewconn(so,0) will fail
and if you don't check the result you'll die later.

  Bill