CyberLeo.Net >> Repos - FreeBSD/stable/10.git/commit

MFC r291301:

The r241129 description was wrong that the scenario is possible
only for read locks on pcbs. The same race can happen with write
lock semantics as well.

The race scenario:

- Two threads (1 and 2) locate pcb with writer semantics (INPLOOKUP_WLOCKPCB)
  and do in_pcbref() on it.
- 1 and 2 both drop the inp hash lock.
- Another thread (3) grabs the inp hash lock. Then it runs in_pcbfree(),
  which wlocks the pcb. They must happen faster than 1 or 2 come INP_WLOCK()!
- 1 and 2 congest in INP_WLOCK().
- 3 does in_pcbremlists(), drops hash lock, and runs in_pcbrele_wlocked(),
  which doesn't free the pcb due to two references on it.
  Then it unlocks the pcb.
- 1 (or 2) gets wlock on the pcb, runs in_pcbrele_wlocked(), which doesn't
  report inp as freed, due to 2 (or 1) still helding extra reference on it.
  The thread tries to do smth with a disconnected pcb and crashes.

Submitted by: emeric.poupon@stormshield.eu
Reviewed by: glebius@
Sponsored by: Stormshield
Tested by: Cassiano Peixoto, Stormshield

git-svn-id: svn://svn.freebsd.org/base/stable/10@291652 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

author	fabient <fabient@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
	Wed, 2 Dec 2015 17:26:37 +0000 (17:26 +0000)
committer	fabient <fabient@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
	Wed, 2 Dec 2015 17:26:37 +0000 (17:26 +0000)
commit	889e4a62302ebba8eb9c3184be85674d451e24ca
tree	a1cd026229b0606e80d7222dcdfa2c995e639a3f	tree \| snapshot
parent	fbe7f4a632f7e7b33083868ffc22864848315d39	commit \| diff