From owner-svn-src-all@FreeBSD.ORG  Tue Nov 27 22:35:44 2012
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id BFE8F768
 for <svn-src-all@freebsd.org>; Tue, 27 Nov 2012 22:35:44 +0000 (UTC)
 (envelope-from peter@wemm.org)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com
 [209.85.217.182])
 by mx1.freebsd.org (Postfix) with ESMTP id 346B88FC16
 for <svn-src-all@freebsd.org>; Tue, 27 Nov 2012 22:35:43 +0000 (UTC)
Received: by mail-lb0-f182.google.com with SMTP id go10so9836363lbb.13
 for <svn-src-all@freebsd.org>; Tue, 27 Nov 2012 14:35:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org; s=google;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=NBZhnIAnjZp+Yc2JRsOuekKN6FwjlIfdnt6xfO+i02M=;
 b=Mv/HI3BS3TjsKmsofn/3akds0JcTyfjeXBPI406n3l6oU0mbrWXLAtBnCdu2UGATmZ
 hGmIkavWralFftN/F31m86GDZujWdp7fh1x7KXUsyyM7XxZin9jyR5HAlzjeMk31RBRF
 fhHEtRhCS4ni7qfevddnPoxPD4euTfwg6ZDwI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type:x-gm-message-state;
 bh=NBZhnIAnjZp+Yc2JRsOuekKN6FwjlIfdnt6xfO+i02M=;
 b=PiDp8CZfrvhJdU3fl4VK/I3i4TWGWgCJ0wgzlM+tfXvlVguH6V7Lg0mAd6tAdx5NgJ
 1xtykCfGgXOtl7GzutNaclUsz+7We6CgljOb3ohCsOkN8Ho7oNBRPxINCzvjpGaJGLhD
 HYsQMLNFSNjW9Kn3PGkRPq3DOtjGXlAZDCwRLaV1VrcXozWo/Wau4J2ImSZ2h8VDvISJ
 9r4usPFbLAWbyU/aqwYmGClP5hUeNiQfJ/FPHcxMGIPLPlopeXiwe7tOlZkxjPug+dto
 wE0Uefw1sQxq89Zrc6h7jESg5KRAouTLhr0Sy4W9qY5yv9m9ADB/w5w5jaNYuMzlBP1L
 +0+A==
MIME-Version: 1.0
Received: by 10.112.87.40 with SMTP id u8mr7240718lbz.50.1354055742336; Tue,
 27 Nov 2012 14:35:42 -0800 (PST)
Received: by 10.112.8.36 with HTTP; Tue, 27 Nov 2012 14:35:42 -0800 (PST)
In-Reply-To: <201211272004.qARK4qS8047209@svn.freebsd.org>
References: <201211272004.qARK4qS8047209@svn.freebsd.org>
Date: Tue, 27 Nov 2012 14:35:42 -0800
Message-ID: <CAGE5yCpxOdsjefe6quR_gjs82pk9a2e_H_WUNUWhUGA3WZPJaw@mail.gmail.com>
Subject: Re: svn commit: r243627 - head/sys/kern
From: Peter Wemm <peter@wemm.org>
To: Andre Oppermann <andre@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQmzUSmgGSMiYfeybiv+WwhB3efXuQ+fZqaHRJ882vRvmpbaVgVboxminFRHgmIkVCQD5hTS
Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org,
 src-committers@freebsd.org
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2012 22:35:44 -0000

Andre.. this breaks incoming connections.  TCP is immediately reset
and never even gets to the listener process.  You need to back out of
fix this urgently please.

On Tue, Nov 27, 2012 at 12:04 PM, Andre Oppermann <andre@freebsd.org> wrote:
> Author: andre
> Date: Tue Nov 27 20:04:52 2012
> New Revision: 243627
> URL: http://svnweb.freebsd.org/changeset/base/243627
>
> Log:
>   Fix a race on listen socket teardown where while draining the
>   accept queues a new socket/connection may be added to the queue
>   due to a race on the ACCEPT_LOCK.
>
>   The submitted patch is slightly changed in comments, teardown
>   and locking order and extended with KASSERT's.
>
>   Submitted by: Vijay Singh <vijju.singh-at-gmail-dot-com>
>   Found by:     His team.
>   MFC after:    1 week
>
> Modified:
>   head/sys/kern/uipc_socket.c
>
> Modified: head/sys/kern/uipc_socket.c
> ==============================================================================
> --- head/sys/kern/uipc_socket.c Tue Nov 27 19:35:21 2012        (r243626)
> +++ head/sys/kern/uipc_socket.c Tue Nov 27 20:04:52 2012        (r243627)
> @@ -555,6 +555,16 @@ sonewconn(struct socket *head, int conns
>         so->so_snd.sb_flags |= head->so_snd.sb_flags & SB_AUTOSIZE;
>         so->so_state |= connstatus;
>         ACCEPT_LOCK();
> +       /*
> +        * The accept socket may be tearing down but we just
> +        * won a race on the ACCEPT_LOCK.
> +        */
> +       if (!(so->so_options & SO_ACCEPTCONN)) {
> +               SOCK_LOCK(so);
> +               so->so_head = NULL;
> +               sofree(so);             /* NB: returns ACCEPT_UNLOCK'ed. */
> +               return (NULL);
> +       }
>         if (connstatus) {
>                 TAILQ_INSERT_TAIL(&head->so_comp, so, so_list);
>                 so->so_qstate |= SQ_COMP;
> @@ -780,9 +790,14 @@ soclose(struct socket *so)
>  drop:
>         if (so->so_proto->pr_usrreqs->pru_close != NULL)
>                 (*so->so_proto->pr_usrreqs->pru_close)(so);
> +       ACCEPT_LOCK();
>         if (so->so_options & SO_ACCEPTCONN) {
>                 struct socket *sp;
> -               ACCEPT_LOCK();
> +               /*
> +                * Prevent new additions to the accept queues due
> +                * to ACCEPT_LOCK races while we are draining them.
> +                */
> +               so->so_options &= ~SO_ACCEPTCONN;
>                 while ((sp = TAILQ_FIRST(&so->so_incomp)) != NULL) {
>                         TAILQ_REMOVE(&so->so_incomp, sp, so_list);
>                         so->so_incqlen--;
> @@ -801,13 +816,15 @@ drop:
>                         soabort(sp);
>                         ACCEPT_LOCK();
>                 }
> -               ACCEPT_UNLOCK();
> +               KASSERT((TAILQ_EMPTY(&so->so_comp)),
> +                   ("%s: so_comp populated", __func__));
> +               KASSERT((TAILQ_EMPTY(&so->so_incomp)),
> +                   ("%s: so_incomp populated", __func__));
>         }
> -       ACCEPT_LOCK();
>         SOCK_LOCK(so);
>         KASSERT((so->so_state & SS_NOFDREF) == 0, ("soclose: NOFDREF"));
>         so->so_state |= SS_NOFDREF;
> -       sorele(so);
> +       sorele(so);                     /* NB: Returns with ACCEPT_UNLOCK(). */
>         CURVNET_RESTORE();
>         return (error);
>  }



-- 
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI6FJV
"All of this is for nothing if we don't go to the stars" - JMS/B5
"If Java had true garbage collection, most programs would delete
themselves upon execution." -- Robert Sewell