From owner-freebsd-net@FreeBSD.ORG  Wed Feb 14 08:55:34 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 7F32D16A408
	for <freebsd-net@freebsd.org>; Wed, 14 Feb 2007 08:55:34 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zyadd226.zyxel.com.tw (59-124-182-147.HINET-IP.hinet.net
	[59.124.182.147])
	by mx1.freebsd.org (Postfix) with ESMTP id 0422E13C481
	for <freebsd-net@freebsd.org>; Wed, 14 Feb 2007 08:55:33 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zytwfe02.ZyXEL.com ([172.23.5.50]) by smtp.zyxel.com.tw with
	InterScan Messaging Security Suite; Wed, 14 Feb 2007 16:41:00 +0800
Received: from zytwbe01.zyxel.com ([172.23.5.10]) by zytwfe02.ZyXEL.com with
	Microsoft SMTPSVC(6.0.3790.1830); Wed, 14 Feb 2007 16:40:26 +0800
Received: from zytwfe01.ZyXEL.com ([172.23.5.5]) by zytwbe01.zyxel.com with
	Microsoft SMTPSVC(6.0.3790.1830); Wed, 14 Feb 2007 16:40:25 +0800
Received: from [172.23.17.92] ([172.23.17.92]) by zytwfe01.ZyXEL.com with
	Microsoft SMTPSVC(6.0.3790.1830); Wed, 14 Feb 2007 16:40:25 +0800
Message-ID: <45D2CAFE.8000806@zyxel.com.tw>
Date: Wed, 14 Feb 2007 16:40:30 +0800
From: Blue <Susan.Lan@zyxel.com.tw>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 14 Feb 2007 08:40:25.0563 (UTC)
	FILETIME=[C5BFCAB0:01C75013]
Subject: [FreeBSD-6.1 6.2] Race condition could happen while two thread close
 socket?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2007 08:55:34 -0000

Dear all:

When looking into the soclose() in uipc_socket.c, I thought of one 
possible situation.

If thread A called soclose() first, and then execute sorele() then 
sofree(). However, in sofree() (defined in uipc_socket.c), the socket 
mutex and accept mutex is unlocked first before releasing socket send 
buffer. While thread A is dealing with the send buffer releasing, 
another thread, thread B, jumped in. It also calls soclose(), and then 
sorele(). Following will be a catastrophe: sorele() will examine the 
socket's reference count ((so)->so_count), then panic occurs since the 
count value equals zero!

Is there any reasonable explanation?

Thanks.

BR,

Yi-Wen