[src/netbsd-3]: src/sys/netinet Pull up following revision(s) (requested by b...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/netbsd-3]: src/sys/netinet Pull up following revision(s) (requested by b...
From: snj <snj%NetBSD.org@localhost>
Date: Fri, 24 Jan 2020 16:59:09 +0000

details:   https://anonhg.NetBSD.org/src/rev/68c9ad123187
branches:  netbsd-3
changeset: 579053:68c9ad123187
user:      snj <snj%NetBSD.org@localhost>
date:      Tue Nov 18 22:57:09 2008 +0000

description:
Pull up following revision(s) (requested by bouyer in ticket #1981):
        sys/netinet/tcp_timer.c: revision 1.83 via patch
Fix kern/39769: race condition in TCP timers
When a TCP timer is disarmed (with callout_stop()) in the general case
callout_invoking() isn't checked, so the timer handler could be called run
when the current interrupt handler exits, athough the timer is disarmed.
This case cause bad things like TCPT_REXMT and TCPT_PERSIST being both
pending, causing a panic (see the PR for details).
Close the issue by aborting the handler if the timer is not
callout_expired().  (the EXPIRED flag being cleared by callout_stop()).

diffstat:

 sys/netinet/tcp_timer.c |  24 ++++++++++++++++++++++--
 1 files changed, 22 insertions(+), 2 deletions(-)

diffs (73 lines):

diff -r c203035ad992 -r 68c9ad123187 sys/netinet/tcp_timer.c
--- a/sys/netinet/tcp_timer.c   Tue Nov 18 21:34:48 2008 +0000
+++ b/sys/netinet/tcp_timer.c   Tue Nov 18 22:57:09 2008 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: tcp_timer.c,v 1.71 2005/03/02 10:20:18 mycroft Exp $   */
+/*     $NetBSD: tcp_timer.c,v 1.71.2.1 2008/11/18 22:57:09 snj Exp $   */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -100,7 +100,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_timer.c,v 1.71 2005/03/02 10:20:18 mycroft Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_timer.c,v 1.71.2.1 2008/11/18 22:57:09 snj Exp $");
 
 #include "opt_inet.h"
 #include "opt_tcp_debug.h"
@@ -232,6 +232,10 @@
                splx(s);
                return;
        }
+       if (!callout_expired(&tp->t_delack_ch)) {
+               splx(s);
+               return;
+       }
 
        tp->t_flags |= TF_ACKNOW;
        (void) tcp_output(tp);
@@ -293,6 +297,10 @@
                splx(s);
                return;
        }
+       if (!callout_expired(&tp->t_timer[TCPT_REXMT])) {
+               splx(s);
+               return;
+       }
 
 #ifdef TCP_DEBUG
 #ifdef INET
@@ -453,6 +461,10 @@
                splx(s);
                return;
        }
+       if (!callout_expired(&tp->t_timer[TCPT_PERSIST])) {
+               splx(s);
+               return;
+       }
 
 #ifdef TCP_DEBUG
 #ifdef INET
@@ -520,6 +532,10 @@
                splx(s);
                return;
        }
+       if (!callout_expired(&tp->t_timer[TCPT_KEEP])) {
+               splx(s);
+               return;
+       }
 
 #ifdef TCP_DEBUG
        ostate = tp->t_state;
@@ -607,6 +623,10 @@
                splx(s);
                return;
        }
+       if (!callout_expired(&tp->t_timer[TCPT_2MSL])) {
+               splx(s);
+               return;
+       }
 
        /*
         * 2 MSL timeout went off, clear the SACK scoreboard, reset

Prev by Date: [src/trunk]: src/doc mention more changes to openssh.
Next by Date: [src/netbsd-3]: src/doc ticket 1983
Previous by Thread: [src/trunk]: src/doc mention more changes to openssh.
Next by Thread: [src/netbsd-3]: src/doc ticket 1983
Indexes:

Home | Main Index | Thread Index | Old Index