Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Oct 2001 08:25:54 -0700 (PDT)
From:      Maxim Katargin <kmv@asplinux.ru>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/31492: Panic in sysctl_remove_oid. 
Message-ID:  <200110251525.f9PFPsd42744@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         31492
>Category:       kern
>Synopsis:       Panic in sysctl_remove_oid.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 25 08:30:02 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Maxim Katargin
>Release:        4.4
>Organization:
>Environment:
FreeBSD walder.asplinux.ru 4.4-RELEASE FreeBSD 4.4-RELEASE #1: Mon Sep 17 13:29:51 MSD 2001 root@walder.asplinux.ru:/usr/obj/ext/release-4.4/src/sys/WALDER  i386
>Description:
Panic in sysctl_remove_oid when kernel is builded with INVARIANTS. 
The memory is used after free() call was made for it.
>How-To-Repeat:

>Fix:
Index: kern/kern_sysctl.c
===================================================================
RCS file: /ext/vcvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.92.2.5
diff -u -r1.92.2.5 kern_sysctl.c
--- kern/kern_sysctl.c  2001/06/18 23:48:13     1.92.2.5
+++ kern/kern_sysctl.c  2001/10/25 15:26:31
@@ -281,15 +281,26 @@
         */
        if ((oidp->oid_kind & CTLTYPE) == CTLTYPE_NODE) {
                if (oidp->oid_refcnt == 1) {
-                       SLIST_FOREACH(p, SYSCTL_CHILDREN(oidp), oid_link) {
-                               if (!recurse)
+                       if (!SLIST_EMPTY(SYSCTL_CHILDREN(oidp)) && !recurse)
                                        return (ENOTEMPTY);
-                               error = sysctl_remove_oid(p, del, recurse);
-                               if (error)
-                                       return (error);
-                       }
-                       if (del)
+
+                       if (del) {
+                               while (!SLIST_EMPTY(SYSCTL_CHILDREN(oidp))) {
+                                       p = SLIST_FIRST(SYSCTL_CHILDREN(oidp));
+                                       error = sysctl_remove_oid(p, del, recurse);
+                                       if (error)
+                                               return (error);
+                               }
                                free(SYSCTL_CHILDREN(oidp), M_SYSCTLOID);
+                       } else {
+                               SLIST_FOREACH(p, SYSCTL_CHILDREN(oidp), oid_link) {
+                                       if (!recurse)
+                                               return (ENOTEMPTY);
+                                       error = sysctl_remove_oid(p, del, recurse);
+                                       if (error)
+                                               return (error);
+                               }
+                       }
                }
        }
        if (oidp->oid_refcnt > 1 ) {

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110251525.f9PFPsd42744>