From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 6 23:22:54 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56CDB106566C for ; Thu, 6 Mar 2008 23:22:54 +0000 (UTC) (envelope-from mav@FreeBSD.org) Received: from cmail.optima.ua (cmail.optima.ua [195.248.191.121]) by mx1.freebsd.org (Postfix) with ESMTP id CD7728FC24 for ; Thu, 6 Mar 2008 23:22:53 +0000 (UTC) (envelope-from mav@FreeBSD.org) X-Spam-Flag: SKIP X-Spam-Yversion: Spamooborona 1.7.0 Received: from [212.86.226.226] (account mav@alkar.net HELO [192.168.3.2]) by cmail.optima.ua (CommuniGate Pro SMTP 5.1.14) with ESMTPA id 87383326 for freebsd-hackers@freebsd.org; Fri, 07 Mar 2008 01:22:52 +0200 Message-ID: <47D07CC6.5060007@FreeBSD.org> Date: Fri, 07 Mar 2008 01:22:46 +0200 From: Alexander Motin User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: soclose() & so->so_upcall() = race? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 23:22:54 -0000 Hi. As I can see so_upcall() callback is called with SOCKBUF_MTX unlocked. It means that SB_UPCALL flag can be removed during call and socket can be closed and deallocated with soclose() while callback is running. Am I right or I have missed something? How in that situation socket pointer protected from being used after free? -- Alexander Motin