git: uipc: Fix lockless unp_conn accessing and uipc_detach() race.

Sepherosa Ziehau sephe at crater.dragonflybsd.org
Wed Aug 26 19:53:17 PDT 2015


commit 16e0b14df047f80cf1b7029e923515191c67849b
Author: Sepherosa Ziehau <sephe at dragonflybsd.org>
Date:   Wed Aug 26 20:32:03 2015 +0800

    uipc: Fix lockless unp_conn accessing and uipc_detach() race.
    
               THREAD1                         THREAD2
    
      uipc_send(unp)                    uipc_detach(unp2)
      {                                 {
        lock(unp);                        unp_free(unp2)
        unp2 = unp->unp_conn;             {
          :                                 /* unp2 ref is 0 */
        unp_reference(unp2);                unp_detach(unp2); (***)
        /* unp2 ref is 1 */               }
          :                             }
        unp_free(unp2)                            :
        {                                         :
           /* unp2 ref is 0 */                    :
           unp_detach(unp2); (***)                :
        }                                         :
        unlock(unp);                              :
      }                                           :
    
    Two calls of unp_detach() on unp2!
    
    To fix this race, we drop all connections before calling unp_free()
    on uipc_detach() and uipc_abort() path.

Summary of changes:
 sys/kern/uipc_usrreq.c | 80 +++++++++++++++++++++++++++++++++-----------------
 sys/sys/unpcb.h        |  3 +-
 2 files changed, 55 insertions(+), 28 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/16e0b14df047f80cf1b7029e923515191c67849b


-- 
DragonFly BSD source repository


More information about the Commits mailing list