From owner-cvs-src@FreeBSD.ORG  Mon Oct 11 08:11:27 2004
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4B29F16A4CE; Mon, 11 Oct 2004 08:11:27 +0000 (GMT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 3FAF343D41; Mon, 11 Oct 2004 08:11:27 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.11/8.12.11) with ESMTP id i9B8BR5Y040478;
	Mon, 11 Oct 2004 08:11:27 GMT
	(envelope-from rwatson@repoman.freebsd.org)
Received: (from rwatson@localhost)
	by repoman.freebsd.org (8.12.11/8.12.11/Submit) id i9B8BQCN040477;
	Mon, 11 Oct 2004 08:11:26 GMT
	(envelope-from rwatson)
Message-Id: <200410110811.i9B8BQCN040477@repoman.freebsd.org>
From: Robert Watson <rwatson@FreeBSD.org>
Date: Mon, 11 Oct 2004 08:11:26 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/kern uipc_socket.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2004 08:11:27 -0000

rwatson     2004-10-11 08:11:26 UTC

  FreeBSD src repository

  Modified files:
    sys/kern             uipc_socket.c 
  Log:
  Rework sofree() logic to take into account a possible race with accept().
  Sockets in the listen queues have reference counts of 0, so if the
  protocol decides to disconnect the pcb and try to free the socket, this
  triggered a race with accept() wherein accept() would bump the reference
  count before sofree() had removed the socket from the listen queues,
  resulting in a panic in sofree() when it discovered it was freeing a
  referenced socket.  This might happen if a RST came in prior to accept()
  on a TCP connection.
  
  The fix is two-fold: to expand the coverage of the accept mutex earlier
  in sofree() to prevent accept() from grabbing the socket after the "is it
  really safe to free" tests, and to expand the logic of the "is it really
  safe to free" tests to check that the refcount is still 0 (i.e., we
  didn't race).
  
  RELENG_5 candidate.
  
  Much discussion with and work by:       green
  Reported by:    Marc UBM Bocklet <ubm at u-boot-man dot de>
  Reported by:    Vlad <marchenko at gmail dot com>
  
  Revision  Changes    Path
  1.213     +19 -5     src/sys/kern/uipc_socket.c