HomeFreeBSD
Diffusion FreeBSD src repository - subversion rS291301

The r241129 description was wrong that the scenario is possible
rS291301
Actions

Description

The r241129 description was wrong that the scenario is possible
only for read locks on pcbs. The same race can happen with write
lock semantics as well.

The race scenario:

  • Two threads (1 and 2) locate pcb with writer semantics (INPLOOKUP_WLOCKPCB) and do in_pcbref() on it.
  • 1 and 2 both drop the inp hash lock.
  • Another thread (3) grabs the inp hash lock. Then it runs in_pcbfree(), which wlocks the pcb. They must happen faster than 1 or 2 come INP_WLOCK()!
  • 1 and 2 congest in INP_WLOCK().
  • 3 does in_pcbremlists(), drops hash lock, and runs in_pcbrele_wlocked(), which doesn't free the pcb due to two references on it. Then it unlocks the pcb.
  • 1 (or 2) gets wlock on the pcb, runs in_pcbrele_wlocked(), which doesn't report inp as freed, due to 2 (or 1) still helding extra reference on it. The thread tries to do smth with a disconnected pcb and crashes.

Submitted by: emeric.poupon@stormshield.eu
Reviewed by: gleb@
MFC after: 1 week
Sponsored by: Stormshield
Tested by: Cassiano Peixoto, Stormshield

Details

Provenance
fabientAuthored on
Parents
rS291300: Add simple indent wrapper tool for style(9) checking GIT/SVN patches.
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
head/
sys/
netinet/

rS291301

View Options

head/sys/netinet/in_pcb.c

Loading...