In accept1(), extend coverage of the socket lock from just covering

soref() to also covering the update of so_state.  While no other user
threads can update the socket state here as it's not yet hooked up to
the file descriptor array yet, the protocol could also frob the
socket state here, leading to a lost update to the so_state field.
No reported instances of this bug (as yet).

MFC after:      3 days

1 files changed, 2 insertions, 2 deletions

diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 8deefe5..ec545b1 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -351,9 +351,8 @@ accept1(td, uap, compat)
 	 * reference count.  Otherwise, if the protocol calls sofree(),
 	 * the socket will be released due to a zero refcount.
 	 */
-	SOCK_LOCK(so);
+	SOCK_LOCK(so);			/* soref() and so_state update */
 	soref(so);			/* file descriptor reference */
-	SOCK_UNLOCK(so);
 
 	TAILQ_REMOVE(&head->so_comp, so, so_list);
 	head->so_qlen--;
@@ -361,6 +360,7 @@ accept1(td, uap, compat)
 	so->so_qstate &= ~SQ_COMP;
 	so->so_head = NULL;
 
+	SOCK_UNLOCK(so);
 	ACCEPT_UNLOCK();
 
 	/* An extra reference on `nfp' has been held for us by falloc(). */