From owner-svn-src-head@freebsd.org Wed Nov 25 22:23:47 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92149A37E73; Wed, 25 Nov 2015 22:23:47 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BAE811AB4; Wed, 25 Nov 2015 22:23:46 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.15.2/8.15.2) with ESMTPS id tAPMNiCZ069211 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 26 Nov 2015 01:23:44 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.15.2/8.15.2/Submit) id tAPMNia9069210; Thu, 26 Nov 2015 01:23:44 +0300 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 26 Nov 2015 01:23:44 +0300 From: Gleb Smirnoff To: Fabien Thomas Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r291301 - head/sys/netinet Message-ID: <20151125222344.GP44598@FreeBSD.org> References: <201511251445.tAPEjilx016268@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201511251445.tAPEjilx016268@repo.freebsd.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Nov 2015 22:23:47 -0000 Fabien, On Wed, Nov 25, 2015 at 02:45:44PM +0000, Fabien Thomas wrote: F> Author: fabient F> Date: Wed Nov 25 14:45:43 2015 F> New Revision: 291301 F> URL: https://svnweb.freebsd.org/changeset/base/291301 F> F> Log: F> The r241129 description was wrong that the scenario is possible F> only for read locks on pcbs. The same race can happen with write F> lock semantics as well. F> F> The race scenario: F> F> - Two threads (1 and 2) locate pcb with writer semantics (INPLOOKUP_WLOCKPCB) F> and do in_pcbref() on it. F> - 1 and 2 both drop the inp hash lock. F> - Another thread (3) grabs the inp hash lock. Then it runs in_pcbfree(), F> which wlocks the pcb. They must happen faster than 1 or 2 come INP_WLOCK()! F> - 1 and 2 congest in INP_WLOCK(). F> - 3 does in_pcbremlists(), drops hash lock, and runs in_pcbrele_wlocked(), F> which doesn't free the pcb due to two references on it. F> Then it unlocks the pcb. F> - 1 (or 2) gets wlock on the pcb, runs in_pcbrele_wlocked(), which doesn't F> report inp as freed, due to 2 (or 1) still helding extra reference on it. F> The thread tries to do smth with a disconnected pcb and crashes. F> F> Submitted by: emeric.poupon@stormshield.eu F> Reviewed by: gleb@ Note that gleb@FreeBSD.org and glebius@FreeBSD.org are two different persons. -- Totus tuus, Glebius.