From owner-freebsd-bugs@FreeBSD.ORG  Tue Aug  3 02:20:24 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 149B016A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  3 Aug 2004 02:20:24 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EA52A43D2D
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  3 Aug 2004 02:20:23 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i732KNPX035211
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 3 Aug 2004 02:20:23 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i732KNRj035210;
	Tue, 3 Aug 2004 02:20:23 GMT
	(envelope-from gnats)
Resent-Date: Tue, 3 Aug 2004 02:20:23 GMT
Resent-Message-Id: <200408030220.i732KNRj035210@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Stephan Uphoff <ups@tree.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 38F4E16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue,  3 Aug 2004 02:13:37 +0000 (GMT)
Received: from duchess.speedfactory.net (duchess.speedfactory.net
	[66.23.201.84])	by mx1.FreeBSD.org (Postfix) with SMTP id A5B0543D48
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue,  3 Aug 2004 02:13:34 +0000 (GMT)	(envelope-from ups@tree.com)
Received: (qmail 17953 invoked by uid 89); 3 Aug 2004 02:13:29 -0000
Received: from duchess.speedfactory.net (66.23.201.84)
  by duchess.speedfactory.net with SMTP; 3 Aug 2004 02:13:29 -0000
Received: (qmail 17938 invoked by uid 89); 3 Aug 2004 02:13:29 -0000
Received: from unknown (HELO palm.tree.com) (66.23.216.49)
  by duchess.speedfactory.net with SMTP; 3 Aug 2004 02:13:29 -0000
Received: from palm.tree.com (localhost.tree.com [127.0.0.1])
	by palm.tree.com (8.12.10/8.12.10) with ESMTP id i732DSfY097395
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 2 Aug 2004 22:13:28 -0400 (EDT)
	(envelope-from ups@palm.tree.com)
Received: (from ups@localhost)
	by palm.tree.com (8.12.10/8.12.10/Submit) id i732DSxH097394;
	Mon, 2 Aug 2004 22:13:28 -0400 (EDT)
	(envelope-from ups)
Message-Id: <200408030213.i732DSxH097394@palm.tree.com>
Date: Mon, 2 Aug 2004 22:13:28 -0400 (EDT)
From: Stephan Uphoff <ups@tree.com>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/69934: lockmgr can concurrently grant two exclusive locks
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Stephan Uphoff <ups@tree.com>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2004 02:20:24 -0000


>Number:         69934
>Category:       kern
>Synopsis:       lockmgr can concurrently grant two exclusive locks
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 03 02:20:23 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Stephan Uphoff
>Release:        FreeBSD 5.2.1-RELEASE-p5 i386
>Organization:
>Environment:
System: FreeBSD palm.tree.com 5.2.1-RELEASE-p5 FreeBSD 5.2.1-RELEASE-p5 #2: Fri May 7 20:06:27 EDT 2004 ups@palm.tree.com:/usr/obj/usr/src/sys/PALM i386


	
>Description:
Upgrading a lock does not play well together with acquiring
an exclusive lock and can lead to two threads being
granted exclusive access.

Problematic sequence:
Thread A acquires a previous unlocked lock in shared mode.
Thread B tries to acquire the same lock in exclusive mode
and blocks.
Thread A upgrades its lock - waking up thread B.
Thread B wakes up and also acquires the same lock as it only checks
if the lock is not shared or if someone wants to upgrade the lock
and not if someone already upgraded the lock to an exclusive lock.


>How-To-Repeat:
	
>Fix:

Minimal patch:
--------------

diff -u -r1.73 kern_lock.c
--- kern_lock.c	23 Jul 2004 20:12:56 -0000	1.73
+++ kern_lock.c	3 Aug 2004 01:38:07 -0000
@@ -389,7 +389,7 @@
 		/*
 		 * Wait for shared locks and upgrades to finish.
 		 */
-		error = acquire(&lkp, extflags, LK_WANT_UPGRADE | LK_SHARE_NONZERO);
+		error = acquire(&lkp, extflags, LK_HAVE_EXCL | LK_WANT_UPGRADE | LK_SHARE_NONZERO);
 		lkp->lk_flags &= ~LK_WANT_EXCL;
 		if (error)
 			break;


Better Patch:
-------------

diff -u -r1.73 kern_lock.c
--- kern_lock.c	23 Jul 2004 20:12:56 -0000	1.73
+++ kern_lock.c	3 Aug 2004 01:51:34 -0000
@@ -382,14 +382,14 @@
 		/*
 		 * Try to acquire the want_exclusive flag.
 		 */
-		error = acquire(&lkp, extflags, (LK_HAVE_EXCL | LK_WANT_EXCL));
+		error = acquire(&lkp, extflags,  LK_WANT_EXCL);
 		if (error)
 			break;
 		lkp->lk_flags |= LK_WANT_EXCL;
 		/*
 		 * Wait for shared locks and upgrades to finish.
 		 */
-		error = acquire(&lkp, extflags, LK_WANT_UPGRADE | LK_SHARE_NONZERO);
+		error = acquire(&lkp, extflags, LK_HAVE_EXCL | LK_WANT_UPGRADE | LK_SHARE_NONZERO);
 		lkp->lk_flags &= ~LK_WANT_EXCL;
 		if (error)
 			break;
>Release-Note:
>Audit-Trail:
>Unformatted: