From owner-freebsd-net@FreeBSD.ORG Thu Jan 3 04:53:07 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ACB5616A417 for ; Thu, 3 Jan 2008 04:53:07 +0000 (UTC) (envelope-from james.juran@baesystems.com) Received: from dmzmta101.na.baesystems.com (dmzmta101.na.baesystems.com [149.32.252.101]) by mx1.freebsd.org (Postfix) with ESMTP id 6B1A713C461 for ; Thu, 3 Jan 2008 04:53:07 +0000 (UTC) (envelope-from james.juran@baesystems.com) Received: from BLUMS0034.bluelnk.net (blums0034.bluelnk.net [10.40.96.55]) by dmzmta101.na.baesystems.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id m0334bmY010494 for ; Wed, 2 Jan 2008 22:04:38 -0500 Received: from usdmta003.na.baesystems.com ([10.40.96.59]) by BLUMS0034.bluelnk.net with InterScan Message Security Suite; Wed, 02 Jan 2008 22:06:54 -0500 Received: from GLDMS00006.goldlnk.rootlnka.net ([10.44.64.12]) by usdmta003.na.baesystems.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id m03350wj017071 for ; Wed, 2 Jan 2008 22:05:00 -0500 Received: from GLDMS00013.goldlnk.rootlnka.net ([10.44.64.9]) by GLDMS00006.goldlnk.rootlnka.net with Microsoft SMTPSVC(6.0.3790.3959); Wed, 2 Jan 2008 22:06:54 -0500 Received: from 10.47.14.220 ([10.47.14.220]) by GLDMS00013.goldlnk.rootlnka.net ([10.44.64.16]) via Exchange Front-End Server webmail.na.baesystems.com ([10.44.64.12]) with Microsoft Exchange Server HTTP-DAV ; Thu, 3 Jan 2008 03:06:53 +0000 Received: from big.juranfamily.org by webmail.na.baesystems.com; 02 Jan 2008 22:06:53 -0500 From: James Juran To: freebsd-net@freebsd.org Content-Type: text/plain Content-Transfer-Encoding: 7bit Organization: BAE Systems Information Technology Date: Wed, 02 Jan 2008 22:06:53 -0500 Message-Id: <1199329613.2807.8.camel@big.juranfamily.org> Mime-Version: 1.0 X-Mailer: Evolution 2.12.2 (2.12.2-2.fc8) X-OriginalArrivalTime: 03 Jan 2008 03:06:54.0050 (UTC) FILETIME=[B1627C20:01C84DB5] Subject: unp_connect() locking problems with early returns X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jan 2008 04:53:07 -0000 There are two early returns in unp_connect() that need to re-acquire the UNP global lock before returning. This program will trigger a panic on a WITNESS-enabled system. I tested on the December snapshot of CURRENT-8.0, but the same problem occurs in RELENG_7. #include #include #include #include #include int main(void) { int s; struct sockaddr_un un; s = socket(PF_LOCAL, SOCK_STREAM, 0); if (s == -1) { perror("socket"); exit(1); } memset(&un, 0, sizeof(un)); un.sun_family = AF_UNIX; if ((connect(s, (struct sockaddr *)&un, 2)) == -1) { perror("connect"); exit(1); } return 0; } I believe this patch will fix the problem, but unfortunately I do not have time to test it. Could someone please try this out? Instead of this approach, it may be possible to move the unlocking to after the early returns are done, but I have not analyzed what impact this would have. Index: uipc_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_usrreq.c,v retrieving revision 1.210 diff -u -p -r1.210 uipc_usrreq.c --- uipc_usrreq.c 1 Jan 2008 01:46:42 -0000 1.210 +++ uipc_usrreq.c 3 Jan 2008 02:53:51 -0000 @@ -1129,13 +1129,16 @@ unp_connect(struct socket *so, struct so KASSERT(unp != NULL, ("unp_connect: unp == NULL")); len = nam->sa_len - offsetof(struct sockaddr_un, sun_path); - if (len <= 0) + if (len <= 0) { + UNP_GLOBAL_WLOCK(); return (EINVAL); + } strlcpy(buf, soun->sun_path, len + 1); UNP_PCB_LOCK(unp); if (unp->unp_flags & UNP_CONNECTING) { UNP_PCB_UNLOCK(unp); + UNP_GLOBAL_WLOCK(); return (EALREADY); } unp->unp_flags |= UNP_CONNECTING; -- James Juran Lead Secure Systems Engineer BAE Systems Information Technology Information Assurance Group XTS Operating Systems james.juran@baesystems.com