From owner-cvs-all@FreeBSD.ORG  Thu Jul 17 16:49:12 2003
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4E66E37B404; Thu, 17 Jul 2003 16:49:12 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id C1A8943FDF; Thu, 17 Jul 2003 16:49:11 -0700 (PDT)
	(envelope-from robert@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h6HNnB0U053939;
	Thu, 17 Jul 2003 16:49:11 -0700 (PDT)
	(envelope-from robert@repoman.freebsd.org)
Received: (from robert@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h6HNnBRK053938;
	Thu, 17 Jul 2003 16:49:11 -0700 (PDT)
Message-Id: <200307172349.h6HNnBRK053938@repoman.freebsd.org>
From: Robert Drehmel <robert@FreeBSD.org>
Date: Thu, 17 Jul 2003 16:49:10 -0700 (PDT)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/sys socketvar.h src/sys/kern uipc_socket.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jul 2003 23:49:12 -0000

robert      2003/07/17 16:49:10 PDT

  FreeBSD src repository

  Modified files:
    sys/sys              socketvar.h 
    sys/kern             uipc_socket.c 
  Log:
  To avoid a kernel panic provoked by a NULL pointer dereference,
  do not clear the `sb_sel' member of the sockbuf structure
  while invalidating the receive sockbuf in sorflush(), called
  from soshutdown().
  
  The panic was reproduceable from user land by attaching a knote
  with EVFILT_READ filters to a socket, disabling further reads
  from it using shutdown(2), and then closing it.  knote_remove()
  was called to remove all knotes from the socket file descriptor
  by detaching each using its associated filterops' detach call-
  back function, sordetach() in this case, which tried to remove
  itself from the invalidated sockbuf's klist (sb_sel.si_note).
  
  PR:     kern/54331
  
  Revision  Changes    Path
  1.153     +7 -1      src/sys/kern/uipc_socket.c
  1.104     +1 -0      src/sys/sys/socketvar.h