[FreeBSD-6.1 6.2] Race condition could happen while two thread close
Susan.Lan at zyxel.com.tw
Wed Feb 14 08:55:34 UTC 2007
When looking into the soclose() in uipc_socket.c, I thought of one
If thread A called soclose() first, and then execute sorele() then
sofree(). However, in sofree() (defined in uipc_socket.c), the socket
mutex and accept mutex is unlocked first before releasing socket send
buffer. While thread A is dealing with the send buffer releasing,
another thread, thread B, jumped in. It also calls soclose(), and then
sorele(). Following will be a catastrophe: sorele() will examine the
socket's reference count ((so)->so_count), then panic occurs since the
count value equals zero!
Is there any reasonable explanation?
More information about the freebsd-net