CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/06/11 13:21:51
Modified files:
sys/kern : uipc_socket.c
Log message:
Fix race during socket unsplicing.
Problem was that splicing holds the socket lock when it writes
so_sp, but unsplicing does not when it reads so_sp. So it may get
the new pointer, but PR_ZERO is not visible due to reordering. Then
so->so_sp->ssp_socket is garbage. Crash happend on octeon/mips64
during regress/sys/netinet/udpthread test run-unsplice.
When creating a splice from socket 1 to socket 2, kernel holds
socket buffer lock on so1->so_rcv and so2->so_snd and socket lock
on both while installing so_sp on so1 and so2. Concurrent sosplice()
on socket 2 has the opposite order, we hold sblock on so2->so_rcv,
sblock on so1->so_snd and solock on both sockets.
The unsplice thread of the source socket did hold sblock on so->so_rcv
only. So we did lockless so_sp check while concurrent sosplice()
thread installs so_sp on the same socket as drain, holding sblock
on so->so_snd.
Grabbing sblock on both so->so_srv and so->so_snd fixes the crash.
with and OK mvs@
