From owner-svn-src-stable@freebsd.org Wed Dec 2 17:30:32 2015 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6ED4CA3FE83; Wed, 2 Dec 2015 17:30:32 +0000 (UTC) (envelope-from araujobsdport@gmail.com) Received: from mail-ob0-x232.google.com (mail-ob0-x232.google.com [IPv6:2607:f8b0:4003:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 34FAE1C49; Wed, 2 Dec 2015 17:30:32 +0000 (UTC) (envelope-from araujobsdport@gmail.com) Received: by obbnk6 with SMTP id nk6so38271332obb.2; Wed, 02 Dec 2015 09:30:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=O2VdLbk5/uE3Fgmdc9bggex1ULUCzuyziQr0owSoYvM=; b=C/oD5fh7zgl/xwUx3m5YTnH86qWLC7JO34OCLnITaUzUl/QajZiaxrlUEVUpVGBBDs C65HVGTpYt/Xjk+SUtuLhjX8jRiqY1OcE9Bxkg1R7zNji46O9w9Rso8puYY1rpXWNLhW E0fEhgTMtL6DJVN6s2Yc3T8DznrOV+l4nW4mBvNhuoeWlrgJzOB3Hf+Wger9JefdLqVo hsYoDAw9UbQouGvpFYhCpkwS7J0tgd5ZJZ+5LKXCbPEH0ieUjAuXyqBh8/+HrvnXIlhK TLxVnqChZK/TQP55OMuYmpHTQlMnRkclJK6Cdjuz4+uOMiijsyU4mTz1j9wSSOGBP7ZO oxgw== MIME-Version: 1.0 X-Received: by 10.182.120.4 with SMTP id ky4mr3743300obb.16.1449077431353; Wed, 02 Dec 2015 09:30:31 -0800 (PST) Received: by 10.182.174.1 with HTTP; Wed, 2 Dec 2015 09:30:30 -0800 (PST) Received: by 10.182.174.1 with HTTP; Wed, 2 Dec 2015 09:30:30 -0800 (PST) Reply-To: araujo@FreeBSD.org In-Reply-To: <201512021726.tB2HQb5p056013@repo.freebsd.org> References: <201512021726.tB2HQb5p056013@repo.freebsd.org> Date: Thu, 3 Dec 2015 01:30:30 +0800 Message-ID: Subject: Re: svn commit: r291652 - stable/10/sys/netinet From: Marcelo Araujo To: Fabien Thomas Cc: svn-src-stable-10@freebsd.org, svn-src-stable@freebsd.org, src-committers@freebsd.org, svn-src-all@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 17:30:32 -0000 Hello, I'm sorry, but that 'even' smell buggy for me! Could you explain what that 'even' really mean? Best, On Dec 3, 2015 1:26 AM, "Fabien Thomas" wrote: > Author: fabient > Date: Wed Dec 2 17:26:37 2015 > New Revision: 291652 > URL: https://svnweb.freebsd.org/changeset/base/291652 > > Log: > MFC r291301: > > The r241129 description was wrong that the scenario is possible > only for read locks on pcbs. The same race can happen with write > lock semantics as well. > > The race scenario: > > - Two threads (1 and 2) locate pcb with writer semantics > (INPLOOKUP_WLOCKPCB) > and do in_pcbref() on it. > - 1 and 2 both drop the inp hash lock. > - Another thread (3) grabs the inp hash lock. Then it runs in_pcbfree(), > which wlocks the pcb. They must happen faster than 1 or 2 come > INP_WLOCK()! > - 1 and 2 congest in INP_WLOCK(). > - 3 does in_pcbremlists(), drops hash lock, and runs > in_pcbrele_wlocked(), > which doesn't free the pcb due to two references on it. > Then it unlocks the pcb. > - 1 (or 2) gets wlock on the pcb, runs in_pcbrele_wlocked(), which > doesn't > report inp as freed, due to 2 (or 1) still helding extra reference on > it. > The thread tries to do smth with a disconnected pcb and crashes. > > Submitted by: emeric.poupon@stormshield.eu > Reviewed by: glebius@ > Sponsored by: Stormshield > Tested by: Cassiano Peixoto, Stormshield > > Modified: > stable/10/sys/netinet/in_pcb.c > Directory Properties: > stable/10/ (props changed) > > Modified: stable/10/sys/netinet/in_pcb.c > > ============================================================================== > --- stable/10/sys/netinet/in_pcb.c Wed Dec 2 16:29:36 2015 > (r291651) > +++ stable/10/sys/netinet/in_pcb.c Wed Dec 2 17:26:37 2015 > (r291652) > @@ -1148,8 +1148,17 @@ in_pcbrele_wlocked(struct inpcb *inp) > > INP_WLOCK_ASSERT(inp); > > - if (refcount_release(&inp->inp_refcount) == 0) > + if (refcount_release(&inp->inp_refcount) == 0) { > + /* > + * If the inpcb has been freed, let the caller know, even > if > + * this isn't the last reference. > + */ > + if (inp->inp_flags2 & INP_FREED) { > + INP_WUNLOCK(inp); > + return (1); > + } > return (0); > + } > > KASSERT(inp->inp_socket == NULL, ("%s: inp_socket != NULL", > __func__)); > > >