Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 21 May 2006 18:55:15 +0100 (BST)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Maxim Konovalov <maxim@macomnet.ru>
Cc:        current@freebsd.org
Subject:   Re: HEADS UP: socket and pcb reference changes entering tree today
Message-ID:  <20060521185034.K8068@fledge.watson.org>
In-Reply-To: <20060515025600.U70399@mp2.macomnet.net>
References:  <20060317141627.W2181@fledge.watson.org> <20060329100839.V19236@fledge.watson.org> <20060401102918.P79188@fledge.watson.org> <20060401170554.R82503@fledge.watson.org> <20060402233436.P76562@fledge.watson.org> <20060515025600.U70399@mp2.macomnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Mon, 15 May 2006, Maxim Konovalov wrote:

> There is a bug in raw ip code processing which panics system.  I put a small 
> regression test in src/tools/regression/netinet/rawconnect.
>
> At the moment the code path for the connected raw ip socket looks like that:
>
> % soclose()
> %   sodisconnect()
> %     rip_disconnect()
> %       rip_abort()
> %         rip_pcbdetach()
> %   rip_detach <<<--------- panic
> %     rip_pcbdetach()
>
> .. and we panics in rip_detach() at KASSERT(inp != NULL).
>
> With this patch panic has gone.

This looks good in terms of pcb structure, but you should acquire SOCK_LOCK 
around the so_state manipulation.  To prevent races, I suggest doing it while 
also holding the INP lock in the center of the locking sets from the inpcb. 
There are some other remaining bugs in the raw socket code elsewhere also, I 
think.

Robert N M Watson

>
> Index: raw_ip.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/raw_ip.c,v
> retrieving revision 1.160
> diff -u -p -r1.160 raw_ip.c
> --- raw_ip.c	21 Apr 2006 09:25:39 -0000	1.160
> +++ raw_ip.c	14 May 2006 23:39:15 -0000
> @@ -661,9 +661,19 @@ rip_abort(struct socket *so)
> static int
> rip_disconnect(struct socket *so)
> {
> +	struct inpcb *inp;
> +
> 	if ((so->so_state & SS_ISCONNECTED) == 0)
> 		return ENOTCONN;
> -	rip_abort(so);
> +
> +	inp = sotoinpcb(so);
> +	KASSERT(inp != NULL, ("rip_disconnect: inp == NULL"));
> +	INP_INFO_WLOCK(&ripcbinfo);
> +	INP_LOCK(inp);
> +	inp->inp_faddr.s_addr = INADDR_ANY;
> +	INP_UNLOCK(inp);
> +	INP_INFO_WUNLOCK(&ripcbinfo);
> +	so->so_state &= ~SS_ISCONNECTED;
> 	return (0);
> }
> %%%
>
> -- 
> Maxim Konovalov
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060521185034.K8068>