On Thu, Jun 16, 2005 at 09:01:23AM +0200, Hans H?bner wrote:
> On Wed, 15 Jun 2005, Will Lentz wrote:
> 
> >I may have found a potential bug in
> >packages/net/bsd_tcpip/current/src/sys/kern/uipc_socket.c (or I may be
> >completely wrong :-).
> >
> >At the end of sodealloc(), the following code exists:
> >      zfreei(so->so_zone, so);
> >      wakeup(so->so_zone);
> >The problem is that zfreei() changes so->so_zone.  Shouldn't wakeup() be
> >done on the original so->so_zone?  I only noticed this problem by:
> >1- while(1) {
> >  sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
> >  connect( sock, ... );
> >  close( sock );
> >  }
> >  Eventually this pauses in socket() (in cyg_tsleep()) when you run out
> >of eCos sockets.
> >
> >2- After 2*MSL or so, cyg_wakeup() gets called with chan == 0x0.  Why?
> >The zfreei() call in sodealloc() changes so->so_zone to 0 before the
> >wakeup() call.

This is not quite correct. zfreei() does not change so->so_zone. What
it does is return the memory for the so structure to the pool. The
wakeup then uses the memory which has just been returned to the
pool. There is a race condition. Once back into the pool the memory
could be allocated to another thread before the call to wakeup is
made.

Attached is a patch to fix this.

        Andrew