Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Sep 2021 19:12:35 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 883761f0a81a - main - socket: Remove NOFREE from the socket zone
Message-ID:  <202109171912.18HJCZBq068297@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=883761f0a81af392893b235632159b15b898e4c6

commit 883761f0a81af392893b235632159b15b898e4c6
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-09-17 16:27:26 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-09-17 18:19:06 +0000

    socket: Remove NOFREE from the socket zone
    
    This flag was added during the transition away from the legacy zone
    allocator, commit c897b81311792ccf6a93feff2a405e2ae53f664e.  The old
    zone allocator effectively provided _NOFREE semantics, but it seems that
    they are not required for sockets.  In particular, we use reference
    counting to keep sockets live.
    
    One somewhat dangerous case is sonewconn(), which returns a pointer to a
    socket with reference count 0.  This socket is still effectively owned
    by the listening socket.  Protocols must therefore be careful to
    synchronize sonewconn() calls with their pru_close implementations,
    since for listening sockets soclose() will abort the child sockets.  For
    example, TCP holds the listening socket's PCB read locked across the
    sonewconn() call, which blocks tcp_usr_close(), and sofree()
    synchronizes with a concurrent soabort() of the nascent socket.
    However, _NOFREE semantics are not required here.
    
    Eliminating _NOFREE has several benefits: it enables use-after-free
    detection (e.g., by KASAN) and lets the system reclaim memory from the
    socket zone under memory pressure.  No functional change intended.
    
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D31975
---
 sys/kern/uipc_socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index 9e898861f8f4..c3f52a4640d3 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -309,7 +309,7 @@ socket_init(void *tag)
 {
 
 	socket_zone = uma_zcreate("socket", sizeof(struct socket), NULL, NULL,
-	    NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+	    NULL, NULL, UMA_ALIGN_PTR, 0);
 	maxsockets = uma_zone_set_max(socket_zone, maxsockets);
 	uma_zone_set_warning(socket_zone, "kern.ipc.maxsockets limit reached");
 	EVENTHANDLER_REGISTER(maxsockets_change, socket_zone_change, NULL,

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109171912.18HJCZBq068297>