From owner-dev-commits-src-branches@freebsd.org Fri Sep 24 13:32:13 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0B2D166DF80; Fri, 24 Sep 2021 13:32:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HGCcr3CNFz4qc7; Fri, 24 Sep 2021 13:32:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 34B71176F5; Fri, 24 Sep 2021 13:32:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 18ODWC6k087054; Fri, 24 Sep 2021 13:32:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 18ODWCJF087053; Fri, 24 Sep 2021 13:32:12 GMT (envelope-from git) Date: Fri, 24 Sep 2021 13:32:12 GMT Message-Id: <202109241332.18ODWCJF087053@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 5a9ecb0b1505 - stable/13 - socket: Add assertions around naked refcount decrements MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 5a9ecb0b1505b4830c67b586164be7593ba32bf4 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2021 13:32:13 -0000 The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=5a9ecb0b1505b4830c67b586164be7593ba32bf4 commit 5a9ecb0b1505b4830c67b586164be7593ba32bf4 Author: Mark Johnston AuthorDate: 2021-09-17 16:26:56 +0000 Commit: Mark Johnston CommitDate: 2021-09-24 13:03:04 +0000 socket: Add assertions around naked refcount decrements Sockets in a listen queue hold a reference to the parent listening socket. Several code paths release this reference manually when moving a child socket out of the queue. Replace comments about the expected post-decrement refcount value with assertions. Use refcount_load() instead of a plain load. No functional change intended. Sponsored by: The FreeBSD Foundation (cherry picked from commit 6b288408ca32e68c74f6ab12324448ab4862a045) --- sys/kern/uipc_socket.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 13482fce5980..77c23859cf33 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1073,11 +1073,12 @@ void sofree(struct socket *so) { struct protosw *pr = so->so_proto; + bool last __diagused; SOCK_LOCK_ASSERT(so); - if ((so->so_state & SS_NOFDREF) == 0 || so->so_count != 0 || - (so->so_state & SS_PROTOREF) || (so->so_qstate == SQ_COMP)) { + if ((so->so_state & (SS_NOFDREF | SS_PROTOREF)) != SS_NOFDREF || + refcount_load(&so->so_count) != 0 || so->so_qstate == SQ_COMP) { SOCK_UNLOCK(so); return; } @@ -1113,8 +1114,9 @@ sofree(struct socket *so) __func__, so, sol)); TAILQ_REMOVE(&sol->sol_incomp, so, so_list); sol->sol_incqlen--; - /* This is guarenteed not to be the last. */ - refcount_release(&sol->so_count); + last = refcount_release(&sol->so_count); + KASSERT(!last, ("%s: released last reference for %p", + __func__, sol)); so->so_qstate = SQ_NONE; so->so_listen = NULL; } else @@ -1122,7 +1124,7 @@ sofree(struct socket *so) ("%s: so %p not on (in)comp with so_listen", __func__, so)); sorele(sol); - KASSERT(so->so_count == 1, + KASSERT(refcount_load(&so->so_count) == 1, ("%s: so %p count %u", __func__, so, so->so_count)); so->so_count = 0; } @@ -1178,6 +1180,7 @@ soclose(struct socket *so) struct accept_queue lqueue; struct socket *sp, *tsp; int error = 0; + bool last __diagused; KASSERT(!(so->so_state & SS_NOFDREF), ("soclose: SS_NOFDREF on enter")); @@ -1224,8 +1227,9 @@ drop: sp->so_qstate = SQ_NONE; sp->so_listen = NULL; SOCK_UNLOCK(sp); - /* Guaranteed not to be the last. */ - refcount_release(&so->so_count); + last = refcount_release(&so->so_count); + KASSERT(!last, ("%s: released last reference for %p", + __func__, so)); } } KASSERT((so->so_state & SS_NOFDREF) == 0, ("soclose: NOFDREF")); @@ -1237,7 +1241,7 @@ drop: SOCK_UNLOCK(sp); soabort(sp); } else { - /* sp is now in sofree() */ + /* See the handling of queued sockets in sofree(). */ SOCK_UNLOCK(sp); } } @@ -3971,6 +3975,7 @@ soisconnecting(struct socket *so) void soisconnected(struct socket *so) { + bool last __diagused; SOCK_LOCK(so); so->so_state &= ~(SS_ISCONNECTING|SS_ISDISCONNECTING|SS_ISCONFIRMING); @@ -4003,8 +4008,9 @@ soisconnected(struct socket *so) sorele(head); return; } - /* Not the last one, as so holds a ref. */ - refcount_release(&head->so_count); + last = refcount_release(&head->so_count); + KASSERT(!last, ("%s: released last reference for %p", + __func__, head)); } again: if ((so->so_options & SO_ACCEPTFILTER) == 0) {