From owner-freebsd-current@FreeBSD.ORG Sun May 21 17:55:20 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 393F916A7DD for ; Sun, 21 May 2006 17:55:20 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC67C43D5A for ; Sun, 21 May 2006 17:55:15 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 66E5246CB9; Sun, 21 May 2006 13:55:15 -0400 (EDT) Date: Sun, 21 May 2006 18:55:15 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Maxim Konovalov In-Reply-To: <20060515025600.U70399@mp2.macomnet.net> Message-ID: <20060521185034.K8068@fledge.watson.org> References: <20060317141627.W2181@fledge.watson.org> <20060329100839.V19236@fledge.watson.org> <20060401102918.P79188@fledge.watson.org> <20060401170554.R82503@fledge.watson.org> <20060402233436.P76562@fledge.watson.org> <20060515025600.U70399@mp2.macomnet.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: current@freebsd.org Subject: Re: HEADS UP: socket and pcb reference changes entering tree today X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 May 2006 17:55:30 -0000 On Mon, 15 May 2006, Maxim Konovalov wrote: > There is a bug in raw ip code processing which panics system. I put a small > regression test in src/tools/regression/netinet/rawconnect. > > At the moment the code path for the connected raw ip socket looks like that: > > % soclose() > % sodisconnect() > % rip_disconnect() > % rip_abort() > % rip_pcbdetach() > % rip_detach <<<--------- panic > % rip_pcbdetach() > > .. and we panics in rip_detach() at KASSERT(inp != NULL). > > With this patch panic has gone. This looks good in terms of pcb structure, but you should acquire SOCK_LOCK around the so_state manipulation. To prevent races, I suggest doing it while also holding the INP lock in the center of the locking sets from the inpcb. There are some other remaining bugs in the raw socket code elsewhere also, I think. Robert N M Watson > > Index: raw_ip.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/raw_ip.c,v > retrieving revision 1.160 > diff -u -p -r1.160 raw_ip.c > --- raw_ip.c 21 Apr 2006 09:25:39 -0000 1.160 > +++ raw_ip.c 14 May 2006 23:39:15 -0000 > @@ -661,9 +661,19 @@ rip_abort(struct socket *so) > static int > rip_disconnect(struct socket *so) > { > + struct inpcb *inp; > + > if ((so->so_state & SS_ISCONNECTED) == 0) > return ENOTCONN; > - rip_abort(so); > + > + inp = sotoinpcb(so); > + KASSERT(inp != NULL, ("rip_disconnect: inp == NULL")); > + INP_INFO_WLOCK(&ripcbinfo); > + INP_LOCK(inp); > + inp->inp_faddr.s_addr = INADDR_ANY; > + INP_UNLOCK(inp); > + INP_INFO_WUNLOCK(&ripcbinfo); > + so->so_state &= ~SS_ISCONNECTED; > return (0); > } > %%% > > -- > Maxim Konovalov >