In accept1(), extend coverage of the socket lock from just covering

soref() to also covering the update of so_state. While no other user threads can update the socket state here as it's not yet hooked up to the file descriptor array yet, the protocol could also frob the socket state here, leading to a lost update to the so_state field. No reported instances of this bug (as yet). MFC after: 3 days
2005-02-17 13:00:23 +00:00 · 2005-02-17 13:00:23 +00:00 · 27fc9123db
commit 27fc9123db
parent 630d43c2be
1 changed files with 2 additions and 2 deletions
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@ -351,9 +351,8 @@ accept1(td, uap, compat)
 	 * reference count.  Otherwise, if the protocol calls sofree(),
 	 * the socket will be released due to a zero refcount.
 	 */
-	SOCK_LOCK(so);
+	SOCK_LOCK(so);			/* soref() and so_state update */
 	soref(so);			/* file descriptor reference */
-	SOCK_UNLOCK(so);

 	TAILQ_REMOVE(&head->so_comp, so, so_list);
 	head->so_qlen--;
@ -361,6 +360,7 @@ accept1(td, uap, compat)
 	so->so_qstate &= ~SQ_COMP;
 	so->so_head = NULL;

+	SOCK_UNLOCK(so);
 	ACCEPT_UNLOCK();

 	/* An extra reference on `nfp' has been held for us by falloc(). */