diff options
| author | rmacklem <rmacklem@FreeBSD.org> | 2009-06-17 22:50:26 +0000 |
|---|---|---|
| committer | rmacklem <rmacklem@FreeBSD.org> | 2009-06-17 22:50:26 +0000 |
| commit | d88296a89fa7b699f237de7a86e30ce4995a2a4f (patch) | |
| tree | 16d38ade3aac3d505cfcf872a12639bc87a462cc /sys/rpc | |
| parent | 8f12a6bcc5ea67ea87483b297472861ac8058429 (diff) | |
| download | FreeBSD-src-d88296a89fa7b699f237de7a86e30ce4995a2a4f.zip FreeBSD-src-d88296a89fa7b699f237de7a86e30ce4995a2a4f.tar.gz | |
Since svc_[dg|vc|tli|tp]_create() did not hold a reference count on the
SVCXPTR structure returned by them, it was possible for the structure
to be free'd before svc_reg() had been completed using the structure.
This patch acquires a reference count on the newly created structure
that is returned by svc_[dg|vc|tli|tp]_create(). It also
adds the appropriate SVC_RELEASE() calls to the callers, except the
experimental nfs subsystem. The latter will be committed separately.
Submitted by: dfr
Tested by: pho
Approved by: kib (mentor)
Diffstat (limited to 'sys/rpc')
| -rw-r--r-- | sys/rpc/svc.c | 1 | ||||
| -rw-r--r-- | sys/rpc/svc_generic.c | 5 | ||||
| -rw-r--r-- | sys/rpc/svc_vc.c | 9 |
3 files changed, 12 insertions, 3 deletions
diff --git a/sys/rpc/svc.c b/sys/rpc/svc.c index 8c3bd2c..a594894 100644 --- a/sys/rpc/svc.c +++ b/sys/rpc/svc.c @@ -276,6 +276,7 @@ xprt_register(SVCXPRT *xprt) { SVCPOOL *pool = xprt->xp_pool; + SVC_ACQUIRE(xprt); mtx_lock(&pool->sp_lock); xprt->xp_registered = TRUE; xprt->xp_active = FALSE; diff --git a/sys/rpc/svc_generic.c b/sys/rpc/svc_generic.c index 790b4ba..38380f2 100644 --- a/sys/rpc/svc_generic.c +++ b/sys/rpc/svc_generic.c @@ -120,8 +120,10 @@ svc_create( /* It was not found. Now create a new one */ xprt = svc_tp_create(pool, dispatch, prognum, versnum, NULL, nconf); - if (xprt) + if (xprt) { num++; + SVC_RELEASE(xprt); + } } } __rpc_endconf(handle); @@ -179,6 +181,7 @@ svc_tp_create( (unsigned)prognum, (unsigned)versnum, nconf->nc_netid); xprt_unregister(xprt); + SVC_RELEASE(xprt); return (NULL); } return (xprt); diff --git a/sys/rpc/svc_vc.c b/sys/rpc/svc_vc.c index d8059b3..b7da5e2 100644 --- a/sys/rpc/svc_vc.c +++ b/sys/rpc/svc_vc.c @@ -324,6 +324,7 @@ svc_vc_rendezvous_recv(SVCXPRT *xprt, struct rpc_msg *msg, struct socket *so = NULL; struct sockaddr *sa = NULL; int error; + SVCXPRT *new_xprt; /* * The socket upcall calls xprt_active() which will eventually @@ -383,10 +384,14 @@ svc_vc_rendezvous_recv(SVCXPRT *xprt, struct rpc_msg *msg, /* * svc_vc_create_conn will call xprt_register - we don't need - * to do anything with the new connection. + * to do anything with the new connection except derefence it. */ - if (!svc_vc_create_conn(xprt->xp_pool, so, sa)) + new_xprt = svc_vc_create_conn(xprt->xp_pool, so, sa); + if (!new_xprt) { soclose(so); + } else { + SVC_RELEASE(new_xprt); + } free(sa, M_SONAME); |
