From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ecos-discuss-return-31958-listarch-ecos-discuss=sources.redhat.com@ecos.sourceware.org>
Received: (qmail 5783 invoked by alias); 17 Jun 2005 20:12:51 -0000
Mailing-List: contact ecos-discuss-help@ecos.sourceware.org; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:ecos-discuss-subscribe@ecos.sourceware.org>
List-Archive: <http://ecos.sourceware.org/ml/ecos-discuss/>
List-Post: <mailto:ecos-discuss@ecos.sourceware.org>
List-Help: <mailto:ecos-discuss-help@ecos.sourceware.org>, <http://ecos.sourceware.org/ml/#faqs>
Sender: ecos-discuss-owner@ecos.sourceware.org
Received: (qmail 4962 invoked by uid 22791); 17 Jun 2005 20:12:42 -0000
Received: from londo.lunn.ch (HELO londo.lunn.ch) (80.238.139.98)
    by sourceware.org (qpsmtpd/0.30-dev) with ESMTP; Fri, 17 Jun 2005 20:12:42 +0000
Received: from lunn by londo.lunn.ch with local (Exim 3.36 #1 (Debian))
	id 1DjN9Q-0002JX-00; Fri, 17 Jun 2005 22:09:16 +0200
Date: Fri, 17 Jun 2005 20:12:00 -0000
To: Hans H?bner <hans@huebner.org>
Cc: Will Lentz <will_lentz@trimble.com>, ecos-discuss@ecos.sourceware.org
Message-ID: <20050617200916.GB17597@lunn.ch>
Mail-Followup-To: Hans H?bner <hans@huebner.org>,
	Will Lentz <will_lentz@trimble.com>,
	ecos-discuss@ecos.sourceware.org
References: <1118875026.9020.21.camel@localhost.localdomain> <20050616083626.U69813@web.m68k.de>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="sdtB3X0nJg68CQEu"
Content-Disposition: inline
In-Reply-To: <20050616083626.U69813@web.m68k.de>
User-Agent: Mutt/1.5.9i
From: Andrew Lunn <andrew@lunn.ch>
Subject: Re: [ECOS] uipc_socket.c (and cyg_tcp_maxidle)
X-SW-Source: 2005-06/txt/msg00150.txt.bz2

--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-length: 1297

On Thu, Jun 16, 2005 at 09:01:23AM +0200, Hans H?bner wrote:
> On Wed, 15 Jun 2005, Will Lentz wrote:
> 
> >I may have found a potential bug in
> >packages/net/bsd_tcpip/current/src/sys/kern/uipc_socket.c (or I may be
> >completely wrong :-).
> >
> >At the end of sodealloc(), the following code exists:
> >      zfreei(so->so_zone, so);
> >      wakeup(so->so_zone);
> >The problem is that zfreei() changes so->so_zone.  Shouldn't wakeup() be
> >done on the original so->so_zone?  I only noticed this problem by:
> >1- while(1) {
> >  sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
> >  connect( sock, ... );
> >  close( sock );
> >  }
> >  Eventually this pauses in socket() (in cyg_tsleep()) when you run out
> >of eCos sockets.
> >
> >2- After 2*MSL or so, cyg_wakeup() gets called with chan == 0x0.  Why?
> >The zfreei() call in sodealloc() changes so->so_zone to 0 before the
> >wakeup() call.

This is not quite correct. zfreei() does not change so->so_zone. What
it does is return the memory for the so structure to the pool. The
wakeup then uses the memory which has just been returned to the
pool. There is a race condition. Once back into the pool the memory
could be allocated to another thread before the call to wakeup is
made.

Attached is a patch to fix this.

        Andrew

--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="sodealloc.diff"
Content-length: 1495

Index: net/bsd_tcpip/current/ChangeLog
===================================================================
RCS file: /cvs/ecos/ecos-opt/net/net/bsd_tcpip/current/ChangeLog,v
retrieving revision 1.52
diff -u -r1.52 ChangeLog
--- net/bsd_tcpip/current/ChangeLog	27 Mar 2005 18:18:13 -0000	1.52
+++ net/bsd_tcpip/current/ChangeLog	17 Jun 2005 20:08:29 -0000
@@ -1,3 +1,8 @@
+2005-06-17  Andrew Lunn  <andrew.lunn@ascom.ch>
+
+	* src/sys/kern/uipc_socket.c (sodealloc): Fixed a race condition
+	when freeing the socket memory. Problem reported by Will Lent.
+
 2005-03-27  Andrew Lunn  <andrew.lunn@ascom.ch>
 
 	* src/sys/net/if.c (ifioctl): Fixed a compiler warning about 
Index: net/bsd_tcpip/current/src/sys/kern/uipc_socket.c
===================================================================
RCS file: /cvs/ecos/ecos-opt/net/net/bsd_tcpip/current/src/sys/kern/uipc_socket.c,v
retrieving revision 1.3
diff -u -r1.3 uipc_socket.c
--- net/bsd_tcpip/current/src/sys/kern/uipc_socket.c	24 Jul 2003 18:04:25 -0000	1.3
+++ net/bsd_tcpip/current/src/sys/kern/uipc_socket.c	17 Jun 2005 20:08:31 -0000
@@ -188,8 +188,10 @@
 void
 sodealloc(so)
 	struct socket *so;
+        
 {
-
+        vm_zone_t zone;
+  
 	so->so_gencnt = ++so_gencnt;
 #ifdef INET
 	if (so->so_accf != NULL) {
@@ -202,8 +204,9 @@
 		FREE(so->so_accf, M_ACCF);
 	}
 #endif /* INET */
-	zfreei(so->so_zone, so);
-        wakeup(so->so_zone);
+        zone = so->so_zone;
+        zfreei(zone, so);
+        wakeup(zone);
 }
 
 int


--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-length: 148

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss
--sdtB3X0nJg68CQEu--