From owner-svn-src-head@FreeBSD.ORG  Tue Nov 27 22:35:44 2012
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id C04B7769
 for <svn-src-head@freebsd.org>; Tue, 27 Nov 2012 22:35:44 +0000 (UTC)
 (envelope-from peter@wemm.org)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com
 [209.85.217.182])
 by mx1.freebsd.org (Postfix) with ESMTP id 346398FC15
 for <svn-src-head@freebsd.org>; Tue, 27 Nov 2012 22:35:43 +0000 (UTC)
Received: by mail-lb0-f182.google.com with SMTP id go10so9836362lbb.13
 for <svn-src-head@freebsd.org>; Tue, 27 Nov 2012 14:35:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org; s=google;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=NBZhnIAnjZp+Yc2JRsOuekKN6FwjlIfdnt6xfO+i02M=;
 b=Mv/HI3BS3TjsKmsofn/3akds0JcTyfjeXBPI406n3l6oU0mbrWXLAtBnCdu2UGATmZ
 hGmIkavWralFftN/F31m86GDZujWdp7fh1x7KXUsyyM7XxZin9jyR5HAlzjeMk31RBRF
 fhHEtRhCS4ni7qfevddnPoxPD4euTfwg6ZDwI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type:x-gm-message-state;
 bh=NBZhnIAnjZp+Yc2JRsOuekKN6FwjlIfdnt6xfO+i02M=;
 b=XoWdUKbV+sw108cDsfIMW7cmCBNkG8diljXZOZytju5hmsoISjjbtnw/GxOpyT62/g
 FnHdZTJ5Ma5OsQIaf72uzQ6wL1Gp6zwPZilEm7heutXz9Hg18hTBq/4G7zzo5kc03/8C
 bTDMfrfYSAGg1ZUp0DXwVo2YTYm9xfsgzr+0S5e2TGi/zmt8A4JBW4T0Vrj7/i3gZt5J
 U31Cqqw1iZ48/hZE9PQ7oj0YV+X4ZmdTvnUICimOWfgvAZEJJju9oyUu+KXCAvM7OcPQ
 nI6QNJKgVOlg9I4hPxoA9TB3iD36VqLG7ChHsWm5CjNei5kbXcujf8MUKmVl2KAlmUA9
 YRhQ==
MIME-Version: 1.0
Received: by 10.112.87.40 with SMTP id u8mr7240718lbz.50.1354055742336; Tue,
 27 Nov 2012 14:35:42 -0800 (PST)
Received: by 10.112.8.36 with HTTP; Tue, 27 Nov 2012 14:35:42 -0800 (PST)
In-Reply-To: <201211272004.qARK4qS8047209@svn.freebsd.org>
References: <201211272004.qARK4qS8047209@svn.freebsd.org>
Date: Tue, 27 Nov 2012 14:35:42 -0800
Message-ID: <CAGE5yCpxOdsjefe6quR_gjs82pk9a2e_H_WUNUWhUGA3WZPJaw@mail.gmail.com>
Subject: Re: svn commit: r243627 - head/sys/kern
From: Peter Wemm <peter@wemm.org>
To: Andre Oppermann <andre@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQmaaymNNjUOwgEsbxxI8k/PjLOet7gWSVlifv5woRpczjMbvEfYuz3NYI2BrOir63KKDewK
Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org,
 src-committers@freebsd.org
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2012 22:35:44 -0000

Andre.. this breaks incoming connections.  TCP is immediately reset
and never even gets to the listener process.  You need to back out of
fix this urgently please.

On Tue, Nov 27, 2012 at 12:04 PM, Andre Oppermann <andre@freebsd.org> wrote:
> Author: andre
> Date: Tue Nov 27 20:04:52 2012
> New Revision: 243627
> URL: http://svnweb.freebsd.org/changeset/base/243627
>
> Log:
>   Fix a race on listen socket teardown where while draining the
>   accept queues a new socket/connection may be added to the queue
>   due to a race on the ACCEPT_LOCK.
>
>   The submitted patch is slightly changed in comments, teardown
>   and locking order and extended with KASSERT's.
>
>   Submitted by: Vijay Singh <vijju.singh-at-gmail-dot-com>
>   Found by:     His team.
>   MFC after:    1 week
>
> Modified:
>   head/sys/kern/uipc_socket.c
>
> Modified: head/sys/kern/uipc_socket.c
> ==============================================================================
> --- head/sys/kern/uipc_socket.c Tue Nov 27 19:35:21 2012        (r243626)
> +++ head/sys/kern/uipc_socket.c Tue Nov 27 20:04:52 2012        (r243627)
> @@ -555,6 +555,16 @@ sonewconn(struct socket *head, int conns
>         so->so_snd.sb_flags |= head->so_snd.sb_flags & SB_AUTOSIZE;
>         so->so_state |= connstatus;
>         ACCEPT_LOCK();
> +       /*
> +        * The accept socket may be tearing down but we just
> +        * won a race on the ACCEPT_LOCK.
> +        */
> +       if (!(so->so_options & SO_ACCEPTCONN)) {
> +               SOCK_LOCK(so);
> +               so->so_head = NULL;
> +               sofree(so);             /* NB: returns ACCEPT_UNLOCK'ed. */
> +               return (NULL);
> +       }
>         if (connstatus) {
>                 TAILQ_INSERT_TAIL(&head->so_comp, so, so_list);
>                 so->so_qstate |= SQ_COMP;
> @@ -780,9 +790,14 @@ soclose(struct socket *so)
>  drop:
>         if (so->so_proto->pr_usrreqs->pru_close != NULL)
>                 (*so->so_proto->pr_usrreqs->pru_close)(so);
> +       ACCEPT_LOCK();
>         if (so->so_options & SO_ACCEPTCONN) {
>                 struct socket *sp;
> -               ACCEPT_LOCK();
> +               /*
> +                * Prevent new additions to the accept queues due
> +                * to ACCEPT_LOCK races while we are draining them.
> +                */
> +               so->so_options &= ~SO_ACCEPTCONN;
>                 while ((sp = TAILQ_FIRST(&so->so_incomp)) != NULL) {
>                         TAILQ_REMOVE(&so->so_incomp, sp, so_list);
>                         so->so_incqlen--;
> @@ -801,13 +816,15 @@ drop:
>                         soabort(sp);
>                         ACCEPT_LOCK();
>                 }
> -               ACCEPT_UNLOCK();
> +               KASSERT((TAILQ_EMPTY(&so->so_comp)),
> +                   ("%s: so_comp populated", __func__));
> +               KASSERT((TAILQ_EMPTY(&so->so_incomp)),
> +                   ("%s: so_incomp populated", __func__));
>         }
> -       ACCEPT_LOCK();
>         SOCK_LOCK(so);
>         KASSERT((so->so_state & SS_NOFDREF) == 0, ("soclose: NOFDREF"));
>         so->so_state |= SS_NOFDREF;
> -       sorele(so);
> +       sorele(so);                     /* NB: Returns with ACCEPT_UNLOCK(). */
>         CURVNET_RESTORE();
>         return (error);
>  }



-- 
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI6FJV
"All of this is for nothing if we don't go to the stars" - JMS/B5
"If Java had true garbage collection, most programs would delete
themselves upon execution." -- Robert Sewell