From owner-freebsd-bugs Thu Nov 28 11:10:03 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA08924 for bugs-outgoing; Thu, 28 Nov 1996 11:10:03 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA08918; Thu, 28 Nov 1996 11:10:01 -0800 (PST) Date: Thu, 28 Nov 1996 11:10:01 -0800 (PST) Message-Id: <199611281910.LAA08918@freefall.freebsd.org> To: freebsd-bugs Cc: From: Bill Paul Subject: Re: kern/2114: recv() with MSG_PEEK and NULL pointer wedges system Reply-To: Bill Paul Sender: owner-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk The following reply was made to PR kern/2114; it has been noted by GNATS. From: Bill Paul To: bde@zeta.org.au (Bruce Evans) Cc: FreeBSD-gnats-submit@freebsd.org, current@freebsd.org Subject: Re: kern/2114: recv() with MSG_PEEK and NULL pointer wedges system Date: Thu, 28 Nov 1996 14:03:29 -0500 (EST) Of all the gin joints in all the towns in all the world, Bruce Evans had to walk into mine and say: > > The test program that freezes my system has also been > > reported to have the same effect on a machine of 2.2-RELENG > > vintage. > > One of the uiomove()s in soreceive() returns EFAULT and doesn't > make any progress. The return code is not checked. This should > be easy to fix. > > Bruce Oh, I see: you want _me_ to fix it. My, you are a trusting soul, aren't you. :) If my limited understanding of the problem is correct, then what's happening is that the failing uiomove() is happening inside a while() loop, and before control returns to the top of the loop where the error would be noticed, it gets stuck in another loop which never terminates due to the uiomove() failure. Well, the obvious fix would seem to be this: *** uipc_socket.c.orig Thu Nov 28 13:15:11 1996 --- uipc_socket.c Thu Nov 28 13:05:37 1996 *************** *** 702,707 **** --- 702,709 ---- splx(s); error = uiomove(mtod(m, caddr_t) + moff, (int)len, uio); s = splnet(); + if (error) + goto release; } else uio->uio_resid -= len; if (len == m->m_len - moff) { I'm not 100% sure this is the _correct_ fix however: there are a lot of mbufs being slung about, and it's hard to tell if this does the right thing without accidentally causing a leak somewhere. In any case, this does fix the immediate problem: with this patch in place, my sample program gets back an EFAULT rather than freezing the system. Note that OpenBSD and NetBSD may well be subject to the same bug since this code comes direct from 4.4BSD-Lite. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." =============================================================================