fix races in the uidinfo subsystem, several problems existed:

1) while allocating a uidinfo struct malloc is called with M_WAITOK,
   it's possible that while asleep another process by the same user
   could have woken up earlier and inserted an entry into the uid
   hash table.  Having redundant entries causes inconsistancies that
   we can't handle.

   fix: do a non-waiting malloc, and if that fails then do a blocking
   malloc, after waking up check that no one else has inserted an entry
   for us already.

2) Because many checks for sbsize were done as "test then set" in a non
   atomic manner it was possible to exceed the limits put up via races.

   fix: instead of querying the count then setting, we just attempt to
   set the count and leave it up to the function to return success or
   failure.

3) The uidinfo code was inlining and repeating, lookups and insertions
   and deletions needed to be in their own functions for clarity.

Reviewed by: green

1 files changed, 4 insertions, 4 deletions

diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c
index 42e02a5..beb8fe5 100644
--- a/sys/kern/uipc_sockbuf.c
+++ b/sys/kern/uipc_sockbuf.c
@@ -432,10 +432,10 @@ sbreserve(sb, cc, so, p)
 	if ((u_quad_t)cc > (u_quad_t)sb_max * MCLBYTES / (MSIZE + MCLBYTES))
 		return (0);
 	delta = (rlim_t)cc - sb->sb_hiwat;
-	if (p && delta >= 0 && chgsbsize(so->so_cred->cr_uid, 0) + delta >
-	    p->p_rlimit[RLIMIT_SBSIZE].rlim_cur)
+	if (p && !chgsbsize(so->so_cred->cr_uid, delta,
+		p->p_rlimit[RLIMIT_SBSIZE].rlim_cur)) {
 		return (0);
-	(void)chgsbsize(so->so_cred->cr_uid, delta);
+	}
 	sb->sb_hiwat = cc;
 	sb->sb_mbmax = min(cc * sb_efficiency, sb_max);
 	if (sb->sb_lowat > sb->sb_hiwat)
@@ -453,7 +453,7 @@ sbrelease(sb, so)
 {
 
 	sbflush(sb);
-	(void)chgsbsize(so->so_cred->cr_uid, -(rlim_t)sb->sb_hiwat);
+	(void)chgsbsize(so->so_cred->cr_uid, -(rlim_t)sb->sb_hiwat, RLIM_INFINITY);
 	sb->sb_hiwat = sb->sb_mbmax = 0;
 }