diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2021-09-17 16:26:56 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2021-09-17 18:19:06 +0000 |
| commit | 6b288408ca32e68c74f6ab12324448ab4862a045 (patch) | |
| tree | e1384cf9bc5fd9446eee2e86e4c154c41a38e3df /sys/kern/uipc_socket.c | |
| parent | dfcef8771484271f2bccdb1dbc088a838441c5a7 (diff) | |
| download | src-6b288408ca32e68c74f6ab12324448ab4862a045.tar.gz src-6b288408ca32e68c74f6ab12324448ab4862a045.zip | |
socket: Add assertions around naked refcount decrements
Sockets in a listen queue hold a reference to the parent listening
socket. Several code paths release this reference manually when moving
a child socket out of the queue.
Replace comments about the expected post-decrement refcount value with
assertions. Use refcount_load() instead of a plain load. No functional
change intended.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31974
Diffstat (limited to 'sys/kern/uipc_socket.c')
| -rw-r--r-- | sys/kern/uipc_socket.c | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index f1a3b5acc827..9e898861f8f4 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1120,11 +1120,12 @@ void sofree(struct socket *so) { struct protosw *pr = so->so_proto; + bool last __diagused; SOCK_LOCK_ASSERT(so); - if ((so->so_state & SS_NOFDREF) == 0 || so->so_count != 0 || - (so->so_state & SS_PROTOREF) || (so->so_qstate == SQ_COMP)) { + if ((so->so_state & (SS_NOFDREF | SS_PROTOREF)) != SS_NOFDREF || + refcount_load(&so->so_count) != 0 || so->so_qstate == SQ_COMP) { SOCK_UNLOCK(so); return; } @@ -1160,8 +1161,9 @@ sofree(struct socket *so) __func__, so, sol)); TAILQ_REMOVE(&sol->sol_incomp, so, so_list); sol->sol_incqlen--; - /* This is guarenteed not to be the last. */ - refcount_release(&sol->so_count); + last = refcount_release(&sol->so_count); + KASSERT(!last, ("%s: released last reference for %p", + __func__, sol)); so->so_qstate = SQ_NONE; so->so_listen = NULL; } else @@ -1169,7 +1171,7 @@ sofree(struct socket *so) ("%s: so %p not on (in)comp with so_listen", __func__, so)); sorele(sol); - KASSERT(so->so_count == 1, + KASSERT(refcount_load(&so->so_count) == 1, ("%s: so %p count %u", __func__, so, so->so_count)); so->so_count = 0; } @@ -1225,6 +1227,7 @@ soclose(struct socket *so) struct accept_queue lqueue; struct socket *sp, *tsp; int error = 0; + bool last __diagused; KASSERT(!(so->so_state & SS_NOFDREF), ("soclose: SS_NOFDREF on enter")); @@ -1271,8 +1274,9 @@ drop: sp->so_qstate = SQ_NONE; sp->so_listen = NULL; SOCK_UNLOCK(sp); - /* Guaranteed not to be the last. */ - refcount_release(&so->so_count); + last = refcount_release(&so->so_count); + KASSERT(!last, ("%s: released last reference for %p", + __func__, so)); } } KASSERT((so->so_state & SS_NOFDREF) == 0, ("soclose: NOFDREF")); @@ -1284,7 +1288,7 @@ drop: SOCK_UNLOCK(sp); soabort(sp); } else { - /* sp is now in sofree() */ + /* See the handling of queued sockets in sofree(). */ SOCK_UNLOCK(sp); } } @@ -4010,6 +4014,7 @@ soisconnecting(struct socket *so) void soisconnected(struct socket *so) { + bool last __diagused; SOCK_LOCK(so); so->so_state &= ~(SS_ISCONNECTING|SS_ISDISCONNECTING|SS_ISCONFIRMING); @@ -4042,8 +4047,9 @@ soisconnected(struct socket *so) sorele(head); return; } - /* Not the last one, as so holds a ref. */ - refcount_release(&head->so_count); + last = refcount_release(&head->so_count); + KASSERT(!last, ("%s: released last reference for %p", + __func__, head)); } again: if ((so->so_options & SO_ACCEPTFILTER) == 0) { |