diff options
| author | rmacklem <rmacklem@FreeBSD.org> | 2011-10-07 01:15:04 +0000 |
|---|---|---|
| committer | rmacklem <rmacklem@FreeBSD.org> | 2011-10-07 01:15:04 +0000 |
| commit | 7adae26f0ff7104dea297cfdfb4ef600e60cc78b (patch) | |
| tree | 9289dfe134ccdc9a4c169f62bc276de0f353a8d8 /sys/kern/kern_ctf.c | |
| parent | f3e29d548396db158b981d33b8e7affeac709ae3 (diff) | |
| download | FreeBSD-src-7adae26f0ff7104dea297cfdfb4ef600e60cc78b.zip FreeBSD-src-7adae26f0ff7104dea297cfdfb4ef600e60cc78b.tar.gz | |
A crash reported on freebsd-fs@ on Sep. 23, 2011 under the subject
heading "kernel panics with RPCSEC_GSS" appears to be caused by a
corrupted tailq list for the client structure. Looking at the code, calls
to the function svc_rpc_gss_forget_client() were done in an SMP unsafe
manner, with the svc_rpc_gss_lock only being acquired in the function
and not before it. As such, when multiple threads called
svc_rpc_gss_forget_client() concurrently, it could try and remove the
same client structure from the tailq lists multiple times.
The patch fixes this by moving the critical code into a separate
function called svc_rpc_gss_forget_client_locked(), which must be
called with the lock held. For the one case where the caller would
have no interest in the lock, svc_rpc_gss_forget_client() was retained,
but a loop was added to check that the client structure is still in
the tailq lists before removing it, to make it safe for multiple
concurrent calls.
Tested by: clinton.adams at gmail.com (earlier version)
Reviewed by: zkirsch
MFC after: 3 days
Diffstat (limited to 'sys/kern/kern_ctf.c')
0 files changed, 0 insertions, 0 deletions
