From owner-svn-src-all@FreeBSD.ORG Fri Jul 5 14:30:54 2013 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B05F0407; Fri, 5 Jul 2013 14:30:54 +0000 (UTC) (envelope-from andre@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id A2D161FF1; Fri, 5 Jul 2013 14:30:54 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r65EUsYf059155; Fri, 5 Jul 2013 14:30:54 GMT (envelope-from andre@svn.freebsd.org) Received: (from andre@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r65EUs2S059154; Fri, 5 Jul 2013 14:30:54 GMT (envelope-from andre@svn.freebsd.org) Message-Id: <201307051430.r65EUs2S059154@svn.freebsd.org> From: Andre Oppermann Date: Fri, 5 Jul 2013 14:30:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r252787 - stable/9/sys/netinet X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jul 2013 14:30:54 -0000 Author: andre Date: Fri Jul 5 14:30:54 2013 New Revision: 252787 URL: http://svnweb.freebsd.org/changeset/base/252787 Log: MFC r249317: Fix a race condition on tcp listen socket teardown with pending connections in the accept queue and contiguous new incoming SYNs. Compared to the original submitters patch I've moved the test next to the SYN handling to have it together in a logical unit and reworded the comment explaining the issue. Submitted by: Matt Miller Submitted by: Juan Mojica Reviewed by: Matt Miller (changes) Tested by: pho Modified: stable/9/sys/netinet/tcp_input.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netinet/tcp_input.c ============================================================================== --- stable/9/sys/netinet/tcp_input.c Fri Jul 5 14:24:37 2013 (r252786) +++ stable/9/sys/netinet/tcp_input.c Fri Jul 5 14:30:54 2013 (r252787) @@ -1375,6 +1375,15 @@ relocked: */ INP_INFO_UNLOCK_ASSERT(&V_tcbinfo); return; + } else if (tp->t_state == TCPS_LISTEN) { + /* + * When a listen socket is torn down the SO_ACCEPTCONN + * flag is removed first while connections are drained + * from the accept queue in a unlock/lock cycle of the + * ACCEPT_LOCK, opening a race condition allowing a SYN + * attempt go through unhandled. + */ + goto dropunlock; } #ifdef TCP_SIGNATURE