git: socket: Close the soreference() race against socket owner netisr sofree()

Sepherosa Ziehau sephe at crater.dragonflybsd.org
Thu Jul 30 08:37:55 PDT 2015


commit 3735a8851896448ba005309afe43d04205d50fc2
Author: Sepherosa Ziehau <sephe at dragonflybsd.org>
Date:   Thu Jul 30 23:24:37 2015 +0800

    socket: Close the soreference() race against socket owner netisr sofree()
    
    The race is kinda like this:
    
        Other thread/netisrN         netisrM (so->so_pcb owner)
                 :                              :
          getpooltoken(head);                   :
          so->so_head = NULL;                   :
                 :                          sofree(so); (*)
          soreference(so);                      :
          relpooltoken(head);                   :
    
    (*)
    sofree(so) frees the socket, since so->so_head is NULL and
    getpooltoken(head) is not called.
    
    Reported-by: dillon@

Summary of changes:
 sys/kern/uipc_socket.c   | 14 +++++++++-----
 sys/kern/uipc_socket2.c  |  3 +--
 sys/kern/uipc_syscalls.c |  7 ++++++-
 sys/sys/socketvar.h      |  2 +-
 4 files changed, 17 insertions(+), 9 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/3735a8851896448ba005309afe43d04205d50fc2


-- 
DragonFly BSD source repository



More information about the Commits mailing list