In accept1(), extend coverage of the socket lock from just covering

soref() to also covering the update of so_state. While no other user threads can update the socket state here as it's not yet hooked up to the file descriptor array yet, the protocol could also frob the socket state here, leading to a lost update to the so_state field. No reported instances of this bug (as yet). MFC after: 3 days
2005-02-17 13:00:23 +00:00 · 2005-02-17 13:00:23 +00:00 · 1e8f89541e
commit 1e8f89541e
parent 280249a66a
1 changed files with 2 additions and 2 deletions
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@ -351,9 +351,8 @@ accept1(td, uap, compat)
 	 * reference count.  Otherwise, if the protocol calls sofree(),
 	 * the socket will be released due to a zero refcount.
 	 */
-	SOCK_LOCK(so);
+	SOCK_LOCK(so);			/* soref() and so_state update */
 	soref(so);			/* file descriptor reference */
-	SOCK_UNLOCK(so);

 	TAILQ_REMOVE(&head->so_comp, so, so_list);
 	head->so_qlen--;
@ -361,6 +360,7 @@ accept1(td, uap, compat)
 	so->so_qstate &= ~SQ_COMP;
 	so->so_head = NULL;

+	SOCK_UNLOCK(so);
 	ACCEPT_UNLOCK();

 	/* An extra reference on `nfp' has been held for us by falloc(). */