diff options
| author | andre <andre@FreeBSD.org> | 2012-11-27 20:04:52 +0000 |
|---|---|---|
| committer | andre <andre@FreeBSD.org> | 2012-11-27 20:04:52 +0000 |
| commit | e323c318165801764db696c4d6d6d2f58c58e41d (patch) | |
| tree | ee6ad3ab841f95b69714c855cbbeda4a95dbdc04 /sys/kern/uipc_socket.c | |
| parent | cd840ea089c3546a5cd705044efba4e7ec8621e7 (diff) | |
| download | FreeBSD-src-e323c318165801764db696c4d6d6d2f58c58e41d.zip FreeBSD-src-e323c318165801764db696c4d6d6d2f58c58e41d.tar.gz | |
Fix a race on listen socket teardown where while draining the
accept queues a new socket/connection may be added to the queue
due to a race on the ACCEPT_LOCK.
The submitted patch is slightly changed in comments, teardown
and locking order and extended with KASSERT's.
Submitted by: Vijay Singh <vijju.singh-at-gmail-dot-com>
Found by: His team.
MFC after: 1 week
Diffstat (limited to 'sys/kern/uipc_socket.c')
| -rw-r--r-- | sys/kern/uipc_socket.c | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index bed769d..e9ecd4e 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -555,6 +555,16 @@ sonewconn(struct socket *head, int connstatus) so->so_snd.sb_flags |= head->so_snd.sb_flags & SB_AUTOSIZE; so->so_state |= connstatus; ACCEPT_LOCK(); + /* + * The accept socket may be tearing down but we just + * won a race on the ACCEPT_LOCK. + */ + if (!(so->so_options & SO_ACCEPTCONN)) { + SOCK_LOCK(so); + so->so_head = NULL; + sofree(so); /* NB: returns ACCEPT_UNLOCK'ed. */ + return (NULL); + } if (connstatus) { TAILQ_INSERT_TAIL(&head->so_comp, so, so_list); so->so_qstate |= SQ_COMP; @@ -780,9 +790,14 @@ soclose(struct socket *so) drop: if (so->so_proto->pr_usrreqs->pru_close != NULL) (*so->so_proto->pr_usrreqs->pru_close)(so); + ACCEPT_LOCK(); if (so->so_options & SO_ACCEPTCONN) { struct socket *sp; - ACCEPT_LOCK(); + /* + * Prevent new additions to the accept queues due + * to ACCEPT_LOCK races while we are draining them. + */ + so->so_options &= ~SO_ACCEPTCONN; while ((sp = TAILQ_FIRST(&so->so_incomp)) != NULL) { TAILQ_REMOVE(&so->so_incomp, sp, so_list); so->so_incqlen--; @@ -801,13 +816,15 @@ drop: soabort(sp); ACCEPT_LOCK(); } - ACCEPT_UNLOCK(); + KASSERT((TAILQ_EMPTY(&so->so_comp)), + ("%s: so_comp populated", __func__)); + KASSERT((TAILQ_EMPTY(&so->so_incomp)), + ("%s: so_incomp populated", __func__)); } - ACCEPT_LOCK(); SOCK_LOCK(so); KASSERT((so->so_state & SS_NOFDREF) == 0, ("soclose: NOFDREF")); so->so_state |= SS_NOFDREF; - sorele(so); + sorele(so); /* NB: Returns with ACCEPT_UNLOCK(). */ CURVNET_RESTORE(); return (error); } |
