uipc: Fix lockless unp_conn accessing and uipc_detach() race.
authorSepherosa Ziehau <sephe@dragonflybsd.org>
Wed, 26 Aug 2015 12:32:03 +0000 (20:32 +0800)
committerSepherosa Ziehau <sephe@dragonflybsd.org>
Thu, 27 Aug 2015 02:52:25 +0000 (10:52 +0800)
commit16e0b14df047f80cf1b7029e923515191c67849b
treea5161e792d4c836f8b7e651e99e63e078b70db6a
parentc161497612765225e3757ff8ee4ed3efd086d8ce
uipc: Fix lockless unp_conn accessing and uipc_detach() race.

           THREAD1                         THREAD2

  uipc_send(unp)                    uipc_detach(unp2)
  {                                 {
    lock(unp);                        unp_free(unp2)
    unp2 = unp->unp_conn;             {
      :                                 /* unp2 ref is 0 */
    unp_reference(unp2);                unp_detach(unp2); (***)
    /* unp2 ref is 1 */               }
      :                             }
    unp_free(unp2)                            :
    {                                         :
       /* unp2 ref is 0 */                    :
       unp_detach(unp2); (***)                :
    }                                         :
    unlock(unp);                              :
  }                                           :

Two calls of unp_detach() on unp2!

To fix this race, we drop all connections before calling unp_free()
on uipc_detach() and uipc_abort() path.
sys/kern/uipc_usrreq.c
sys/sys/unpcb.h