From nobody@FreeBSD.org  Thu Oct 25 08:25:55 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id D606037B401
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Oct 2001 08:25:54 -0700 (PDT)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f9PFPsd42744;
	Thu, 25 Oct 2001 08:25:54 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200110251525.f9PFPsd42744@freefall.freebsd.org>
Date: Thu, 25 Oct 2001 08:25:54 -0700 (PDT)
From: Maxim Katargin <kmv@asplinux.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Panic in sysctl_remove_oid. 
X-Send-Pr-Version: www-1.0

>Number:         31492
>Category:       kern
>Synopsis:       Panic in sysctl_remove_oid.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 25 08:30:02 PDT 2001
>Closed-Date:    Sat Jul 12 15:07:19 PDT 2003
>Last-Modified:  Sat Jul 12 15:07:19 PDT 2003
>Originator:     Maxim Katargin
>Release:        4.4
>Organization:
>Environment:
FreeBSD walder.asplinux.ru 4.4-RELEASE FreeBSD 4.4-RELEASE #1: Mon Sep 17 13:29:51 MSD 2001 root@walder.asplinux.ru:/usr/obj/ext/release-4.4/src/sys/WALDER  i386
>Description:
Panic in sysctl_remove_oid when kernel is builded with INVARIANTS. 
The memory is used after free() call was made for it.
>How-To-Repeat:

>Fix:
Index: kern/kern_sysctl.c
===================================================================
RCS file: /ext/vcvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.92.2.5
diff -u -r1.92.2.5 kern_sysctl.c
--- kern/kern_sysctl.c  2001/06/18 23:48:13     1.92.2.5
+++ kern/kern_sysctl.c  2001/10/25 15:26:31
@@ -281,15 +281,26 @@
         */
        if ((oidp->oid_kind & CTLTYPE) == CTLTYPE_NODE) {
                if (oidp->oid_refcnt == 1) {
-                       SLIST_FOREACH(p, SYSCTL_CHILDREN(oidp), oid_link) {
-                               if (!recurse)
+                       if (!SLIST_EMPTY(SYSCTL_CHILDREN(oidp)) && !recurse)
                                        return (ENOTEMPTY);
-                               error = sysctl_remove_oid(p, del, recurse);
-                               if (error)
-                                       return (error);
-                       }
-                       if (del)
+
+                       if (del) {
+                               while (!SLIST_EMPTY(SYSCTL_CHILDREN(oidp))) {
+                                       p = SLIST_FIRST(SYSCTL_CHILDREN(oidp));
+                                       error = sysctl_remove_oid(p, del, recurse);
+                                       if (error)
+                                               return (error);
+                               }
                                free(SYSCTL_CHILDREN(oidp), M_SYSCTLOID);
+                       } else {
+                               SLIST_FOREACH(p, SYSCTL_CHILDREN(oidp), oid_link) {
+                                       if (!recurse)
+                                               return (ENOTEMPTY);
+                                       error = sysctl_remove_oid(p, del, recurse);
+                                       if (error)
+                                               return (error);
+                               }
+                       }
                }
        }
        if (oidp->oid_refcnt > 1 ) {

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: iedowse 
State-Changed-When: Sun Dec 1 12:00:10 PST 2002 
State-Changed-Why:  

Again, some information on how to repeat the problem would be useful 
to understand the purpose of the patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=31492 
State-Changed-From-To: feedback->closed 
State-Changed-By: kris 
State-Changed-When: Sat Jul 12 15:07:10 PDT 2003 
State-Changed-Why:  
Feedback timeout 

http://www.freebsd.org/cgi/query-pr.cgi?pr=31492 
>Unformatted:
