git: uipc: Fix lockless unp_conn accessing and uipc_detach() race.
Sepherosa Ziehau
sephe at crater.dragonflybsd.org
Wed Aug 26 19:53:17 PDT 2015
commit 16e0b14df047f80cf1b7029e923515191c67849b
Author: Sepherosa Ziehau <sephe at dragonflybsd.org>
Date: Wed Aug 26 20:32:03 2015 +0800
uipc: Fix lockless unp_conn accessing and uipc_detach() race.
THREAD1 THREAD2
uipc_send(unp) uipc_detach(unp2)
{ {
lock(unp); unp_free(unp2)
unp2 = unp->unp_conn; {
: /* unp2 ref is 0 */
unp_reference(unp2); unp_detach(unp2); (***)
/* unp2 ref is 1 */ }
: }
unp_free(unp2) :
{ :
/* unp2 ref is 0 */ :
unp_detach(unp2); (***) :
} :
unlock(unp); :
} :
Two calls of unp_detach() on unp2!
To fix this race, we drop all connections before calling unp_free()
on uipc_detach() and uipc_abort() path.
Summary of changes:
sys/kern/uipc_usrreq.c | 80 +++++++++++++++++++++++++++++++++-----------------
sys/sys/unpcb.h | 3 +-
2 files changed, 55 insertions(+), 28 deletions(-)
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/16e0b14df047f80cf1b7029e923515191c67849b
--
DragonFly BSD source repository
More information about the Commits
mailing list