dls@j.cc.purdue.edu (David L. Stevens) (10/16/86)
Index: /usr/src/sys/sys/ipc.c 2.9BSD (with ISR mods) Description: When creating a socket, the syscall can leave a file structure that claims to be a socket, but has no socket structure pointer in f_socket. This results in a bus error when the file is closed, from within a program or on exit. Repeat-By: Call socket() with a protocol that isn't supported; when there are no mbufs available; or any time when socreate() will fail. Then fork() and exit. This will result in a kernel mode bus error and a panic(). Fix: The problem is that socket() tries to get rid of the file reference by setting the reference count to 0. A fork will increment this and then there is an unusable file structure that will be closed on exit. Since the FSOCKET bit is set, soclose() will be called and it blindly tries to dereference f_socket. The fix is to simply not mark the file structure as a socket unless socreate() succeeds. The reference count trick works fine as long as soclose() isn't called. *** BROKEN /usr/src/sys/sys/ipc.c Wed Oct 15 21:09:00 1986 --- FIXED /usr/src/sys/sys/ipc.c Tue Oct 14 14:01:49 1986 *************** *** 100,106 } if ((fp = falloc()) == NULL) return; ! fp->f_flag = FSOCKET|FREAD|FWRITE; if (uap->asp && copyin((caddr_t)uap->asp, (caddr_t)&sp, sizeof (sp)) || uap->asa && copyin((caddr_t)uap->asa, (caddr_t)&sa, sizeof (sa))) { u.u_error = EFAULT; --- 100,106 ----- } if ((fp = falloc()) == NULL) return; ! fp->f_flag = FREAD|FWRITE; if (uap->asp && copyin((caddr_t)uap->asp, (caddr_t)&sp, sizeof (sp)) || uap->asa && copyin((caddr_t)uap->asa, (caddr_t)&sa, sizeof (sa))) { u.u_error = EFAULT; *************** *** 110,115 uap->asp ? &sp : 0, uap->asa ? &sa : 0, uap->options); if (u.u_error) goto bad; fp->f_socket = so; return; bad: --- 110,116 ----- uap->asp ? &sp : 0, uap->asa ? &sa : 0, uap->options); if (u.u_error) goto bad; + fp->f_flag |= FSOCKET; fp->f_socket = so; return; bad: -- +-DLS (dls@j.cc.purdue.edu)