From owner-freebsd-net@FreeBSD.ORG  Fri Feb 27 19:19:04 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 355328B4;
 Fri, 27 Feb 2015 19:19:04 +0000 (UTC)
Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0B57CBC2;
 Fri, 27 Feb 2015 19:19:04 +0000 (UTC)
Received: from ralph.baldwin.cx (pool-173-54-116-245.nwrknj.fios.verizon.net
 [173.54.116.245])
 by bigwig.baldwin.cx (Postfix) with ESMTPSA id 3D8E8B945;
 Fri, 27 Feb 2015 14:19:02 -0500 (EST)
From: John Baldwin <jhb@freebsd.org>
To: Adrian Chadd <adrian@freebsd.org>
Subject: Re: Accessing socket APIs soon after accept
Date: Fri, 27 Feb 2015 14:18:21 -0500
Message-ID: <4615961.47iyoSO4QG@ralph.baldwin.cx>
User-Agent: KMail/4.14.2 (FreeBSD/10.1-STABLE; KDE/4.14.2; amd64; ; )
In-Reply-To: <CAJ-Vmon5e0Wd49HVs6X_+qHACji4eGJn6eu1LOvwwk1_vXaXkg@mail.gmail.com>
References: <1421339375968.94209@netapp.com>
 <4083712.jb7qREZuG6@ralph.baldwin.cx>
 <CAJ-Vmon5e0Wd49HVs6X_+qHACji4eGJn6eu1LOvwwk1_vXaXkg@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
 (bigwig.baldwin.cx); Fri, 27 Feb 2015 14:19:02 -0500 (EST)
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
 'Robert Watson' <rwatson@freebsd.org>, "Quattlebaum,
 Ryan" <Ryan.Quattlebaum@netapp.com>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Feb 2015 19:19:04 -0000

On Friday, February 27, 2015 10:32:17 AM Adrian Chadd wrote:
> On 27 February 2015 at 10:07, John Baldwin <jhb@freebsd.org> wrote:
> > On Friday, February 27, 2015 10:03:33 AM Adrian Chadd wrote:
> >> Is this also a bug on -9 and -10?
> > 
> > Yes.  I may merge just the tcp_syncache.c part of this change down to
> > stable branches.
> 
> Cool, thanks.
> 
> Placing half-completed connections on the queue always looked a bit odd to
> me..

So this appears stranger.  Supposedly, the tcbinfo global lock should have 
fixed this race.

In particular, in 8.x, tcp_intput holds a write lock on the tcbinfo lock 
around all of syncache_expand() including all of syncache_socket() from 
sonewconn() on down to the end of the function not releasing it until after 
the addresses are all set, etc.  tcp_usr_accept() on 8.x acquires a read lock 
on the tcbinfo global lock, so if accept() races with syncache_socket(), even 
though accept() might dequeue the socket from sq_comp before the socket is 
fully constructed, the call to soaccept() inside of accept() should call 
tcp_usr_accept() which will try to read-lock the tcbinfo lock and will thus 
block until syncache_socket() has completed.  Thus, you shouldn't be able to 
have accept() return before syncache_socket() has finished.

-- 
John Baldwin