socket: Fix a race between kevent(2) and listen(2)
ClosedPublic
Actions

Authored by markj on Jun 15 2022, 1:12 PM.

Details

Reviewers

glebius

Group Reviewers

network

Commits

rGf6379f7fdec0: socket: Fix a race between kevent(2) and listen(2)

Summary

When locking the knote list for a socket, we check whether the socket is
a listening socket in order to select the appropriate mutex; a listening
socket uses the socket lock, while data sockets use socket buffer
mutexes.

If SOLISTENING(so) is false and the knote lock routine locks a socket
buffer, then it must re-check whether the socket is a listening socket
since solisten_proto() could have changed the socket's identity.

Reported by: syzkaller

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 45987
Build 42875: arc lint + arc unit

Event Timeline

markj created this revision.Jun 15 2022, 1:12 PM

Herald added a subscriber: imp. · View Herald TranscriptJun 15 2022, 1:12 PM

markj requested review of this revision.Jun 15 2022, 1:12 PM

Harbormaster completed remote builds in B45987: Diff 106945.Jun 15 2022, 1:12 PM

Thanks, Mark!

If I was writing this I would prefer goto over for(;;) and break as human reading of the code should be that looping here is extremely unprobable:

retry:
if (SOLISTENING(so))
        SOLISTEN_LOCK(so);
else {
        SOCK_RECVBUF_LOCK(so);
        if (__predict_false(SOLISTENING(so))) {
                  SOCK_RECVBUF_UNLOCK(so);
                  goto retry;
        }
}

This revision is now accepted and ready to land.Jun 15 2022, 7:19 PM