Jack,
I have just emailed partial fix patch for tcp socket. Can you please test
it?
Waldek
On Tuesday, October 23, 2018 at 5:32:10 AM UTC-4, jack wang wrote:
>
> I found a bug: soabort() will free *so twice:
>
> soabort() (in bsd/sys/kern/uipc_socket.cc)
> -> pru_abort() (in tcp_usr_abort in bsd/sys/netinet/tcp_usrreq.cc)
> ->tcp_drop() (in tcp_usr_abort in bsd/sys/netinet/tcp_subr.cc)
> ->tcp_close() (in tcp_usr_abort in bsd/sys/netinet/tcp_subr.cc)
> ->sofree(so) //free so here for the first time
> ->sofree(so); //free so here for the second time
>
>
> I am not familiar with the code here. I don't know how to fix it. Can
> someone help me?
>
> source code:
> void
> soabort(struct socket *so)
> {
> uipc_d("soabort() so=%" PRIx64, (uint64_t)so);
>
> /*
> * In as much as is possible, assert that no references to this
> * socket are held. This is not quite the same as asserting that
> the
> * current thread is responsible for arranging for no references,
> but
> * is as close as we can get for now.
> */
> KASSERT(so->so_count == 0, ("soabort: so_count"));
> KASSERT((so->so_state & SS_PROTOREF) == 0, ("soabort: SS_PROTOREF"
> ));
> KASSERT(so->so_state & SS_NOFDREF, ("soabort: !SS_NOFDREF"));
> KASSERT((so->so_state & SQ_COMP) == 0, ("soabort: SQ_COMP"));
> KASSERT((so->so_state & SQ_INCOMP) == 0, ("soabort: SQ_INCOMP"));
> VNET_SO_ASSERT(so);
>
> if (so->so_proto->pr_usrreqs->pru_abort != NULL)
> (*so->so_proto->pr_usrreqs->pru_abort)(so); /*free so*/
>
> ACCEPT_LOCK();
> SOCK_LOCK(so);
> sofree(so); /*free so*/
> }
>
>
--
You received this message because you are subscribed to the Google Groups "OSv
Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to osv-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
