Date: Tue, 9 Apr 2013 20:52:26 +0000 (UTC) From: Andre Oppermann <andre@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r249317 - head/sys/netinet Message-ID: <201304092052.r39KqQNA043987@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: andre Date: Tue Apr 9 20:52:26 2013 New Revision: 249317 URL: http://svnweb.freebsd.org/changeset/base/249317 Log: Fix a race condition on tcp listen socket teardown with pending connections in the accept queue and contiguous new incoming SYNs. Compared to the original submitters patch I've moved the test next to the SYN handling to have it together in a logical unit and reworded the comment explaining the issue. Submitted by: Matt Miller <matt@matthewjmiller.net> Submitted by: Juan Mojica <jmojica@gmail.com> Reviewed by: Matt Miller (changes) Tested by: pho MFC after: 1 week Modified: head/sys/netinet/tcp_input.c Modified: head/sys/netinet/tcp_input.c ============================================================================== --- head/sys/netinet/tcp_input.c Tue Apr 9 20:21:35 2013 (r249316) +++ head/sys/netinet/tcp_input.c Tue Apr 9 20:52:26 2013 (r249317) @@ -1405,6 +1405,15 @@ relocked: */ INP_INFO_UNLOCK_ASSERT(&V_tcbinfo); return; + } else if (tp->t_state == TCPS_LISTEN) { + /* + * When a listen socket is torn down the SO_ACCEPTCONN + * flag is removed first while connections are drained + * from the accept queue in a unlock/lock cycle of the + * ACCEPT_LOCK, opening a race condition allowing a SYN + * attempt go through unhandled. + */ + goto dropunlock; } #ifdef TCP_SIGNATURE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304092052.r39KqQNA043987>