svn commit: r252783 - stable/9/sys/kern

Fri, 05 Jul 2013 07:13:30 -0700 

Author: andre
Date: Fri Jul  5 14:12:26 2013
New Revision: 252783
URL: http://svnweb.freebsd.org/changeset/base/252783

Log:
  MFC r243627, r243638:
  
   Fix a race on listen socket teardown where while draining the
   accept queues a new socket/connection may be added to the queue
   due to a race on the ACCEPT_LOCK.
  
   The submitted patch is slightly changed in comments, teardown
   and locking order and extended with KASSERT's.
  
   Submitted by:        Vijay Singh <vijju.singh-at-gmail-dot-com>
   Found by:    His team.

Modified:
  stable/9/sys/kern/uipc_socket.c
Directory Properties:
  stable/9/sys/   (props changed)

Modified: stable/9/sys/kern/uipc_socket.c
==============================================================================
--- stable/9/sys/kern/uipc_socket.c     Fri Jul  5 14:08:36 2013        
(r252782)
+++ stable/9/sys/kern/uipc_socket.c     Fri Jul  5 14:12:26 2013        
(r252783)
@@ -502,6 +502,16 @@ sonewconn(struct socket *head, int conns
        so->so_snd.sb_flags |= head->so_snd.sb_flags & SB_AUTOSIZE;
        so->so_state |= connstatus;
        ACCEPT_LOCK();
+       /*
+        * The accept socket may be tearing down but we just
+        * won a race on the ACCEPT_LOCK.
+        */
+       if (!(head->so_options & SO_ACCEPTCONN)) {
+               SOCK_LOCK(so);
+               so->so_head = NULL;
+               sofree(so);             /* NB: returns ACCEPT_UNLOCK'ed. */
+               return (NULL);
+       }
        if (connstatus) {
                TAILQ_INSERT_TAIL(&head->so_comp, so, so_list);
                so->so_qstate |= SQ_COMP;
@@ -727,9 +737,14 @@ soclose(struct socket *so)
 drop:
        if (so->so_proto->pr_usrreqs->pru_close != NULL)
                (*so->so_proto->pr_usrreqs->pru_close)(so);
+       ACCEPT_LOCK();
        if (so->so_options & SO_ACCEPTCONN) {
                struct socket *sp;
-               ACCEPT_LOCK();
+               /*
+                * Prevent new additions to the accept queues due
+                * to ACCEPT_LOCK races while we are draining them.
+                */
+               so->so_options &= ~SO_ACCEPTCONN;
                while ((sp = TAILQ_FIRST(&so->so_incomp)) != NULL) {
                        TAILQ_REMOVE(&so->so_incomp, sp, so_list);
                        so->so_incqlen--;
@@ -748,13 +763,15 @@ drop:
                        soabort(sp);
                        ACCEPT_LOCK();
                }
-               ACCEPT_UNLOCK();
+               KASSERT((TAILQ_EMPTY(&so->so_comp)),
+                   ("%s: so_comp populated", __func__));
+               KASSERT((TAILQ_EMPTY(&so->so_incomp)),
+                   ("%s: so_incomp populated", __func__));
        }
-       ACCEPT_LOCK();
        SOCK_LOCK(so);
        KASSERT((so->so_state & SS_NOFDREF) == 0, ("soclose: NOFDREF"));
        so->so_state |= SS_NOFDREF;
-       sorele(so);
+       sorele(so);                     /* NB: Returns with ACCEPT_UNLOCK(). */
        CURVNET_RESTORE();
        return (error);
 }
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-stable-9
To unsubscribe, send any mail to "[email protected]"

Reply via email to