From a86ec3382030607ef7a672217d977cd0bb8fa878 Mon Sep 17 00:00:00 2001 From: Bruce M Simpson Date: Sat, 23 Dec 2006 21:07:07 +0000 Subject: [PATCH] Drop all received data mbufs from a socket's queue if the MT_SONAME mbuf is dropped, to preserve the invariant in the PR_ADDR case. Add a regression test to detect this condition, but do not hook it up to the build for now. PR: kern/38495 Submitted by: James Juran Reviewed by: sam, rwatson Obtained from: NetBSD MFC after: 2 weeks --- sys/kern/uipc_socket.c | 20 ++-- tools/regression/sockets/pr_atomic/Makefile | 7 ++ .../regression/sockets/pr_atomic/pr_atomic.c | 109 ++++++++++++++++++ 3 files changed, 125 insertions(+), 11 deletions(-) create mode 100644 tools/regression/sockets/pr_atomic/Makefile create mode 100644 tools/regression/sockets/pr_atomic/pr_atomic.c diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index f1690dfebe7..275e2676e62 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1439,7 +1439,6 @@ soreceive_generic(so, psa, uio, mp0, controlp, flagsp) struct protosw *pr = so->so_proto; struct mbuf *nextrecord; int moff, type = 0; - int mbuf_removed = 0; int orig_resid = uio->uio_resid; mp = mp0; @@ -1560,7 +1559,6 @@ dontblock: m = m->m_next; } else { sbfree(&so->so_rcv, m); - mbuf_removed = 1; so->so_rcv.sb_mb = m_free(m); m = so->so_rcv.sb_mb; sockbuf_pushsync(&so->so_rcv, nextrecord); @@ -1586,7 +1584,6 @@ dontblock: m = m->m_next; } else { sbfree(&so->so_rcv, m); - mbuf_removed = 1; so->so_rcv.sb_mb = m->m_next; m->m_next = NULL; *cme = m; @@ -1710,16 +1707,17 @@ dontblock: SOCKBUF_LOCK(&so->so_rcv); if (error) { /* - * If any part of the record has been removed - * (such as the MT_SONAME mbuf, which will - * happen when PR_ADDR, and thus also - * PR_ATOMIC, is set), then drop the entire - * record to maintain the atomicity of the - * receive operation. + * The MT_SONAME mbuf has already been removed + * from the record, so it is necessary to + * remove the data mbufs, if any, to preserve + * the invariant in the case of PR_ADDR that + * requires MT_SONAME mbufs at the head of + * each record. */ - if (m && mbuf_removed && - (pr->pr_flags & PR_ATOMIC)) + if (m && pr->pr_flags & PR_ATOMIC + && ((flags & MSG_PEEK) == 0)) { (void)sbdroprecord_locked(&so->so_rcv); + } goto release; } } else diff --git a/tools/regression/sockets/pr_atomic/Makefile b/tools/regression/sockets/pr_atomic/Makefile new file mode 100644 index 00000000000..b825c80fcab --- /dev/null +++ b/tools/regression/sockets/pr_atomic/Makefile @@ -0,0 +1,7 @@ +# $FreeBSD$ + +PROG= pr_atomic +NO_MAN= +WARNS?= 3 + +.include diff --git a/tools/regression/sockets/pr_atomic/pr_atomic.c b/tools/regression/sockets/pr_atomic/pr_atomic.c new file mode 100644 index 00000000000..69bbac782a5 --- /dev/null +++ b/tools/regression/sockets/pr_atomic/pr_atomic.c @@ -0,0 +1,109 @@ +/*- + * Copyright (c) 2006 Bruce M. Simpson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +/* + * Regression test for uiomove in kernel; specifically for PR kern/38495. + */ + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#define TEST_SOCKET "/tmp/test_socket" + +static jmp_buf myjmpbuf; + +void handle_sigalrm(int signo); + +void handle_sigalrm(int signo) +{ + longjmp(myjmpbuf, 1); +} + +int +main(int argc, char *argv[]) +{ + struct sockaddr_un un; + pid_t pid; + int s; + + s = socket(PF_LOCAL, SOCK_DGRAM, 0); + if (s == -1) + errx(-1, "socket"); + memset(&un, 0, sizeof(un)); + un.sun_family = AF_LOCAL; + unlink(TEST_SOCKET); + strcpy(un.sun_path, TEST_SOCKET); + if (bind(s, (struct sockaddr *)&un, sizeof(un)) == -1) + errx(-1, "bind"); + pid = fork(); + if (pid == -1) + errx(-1, "fork"); + if (pid == 0) { + int conn; + char buf[] = "AAAAAAAAA"; + + close(s); + conn = socket(AF_LOCAL, SOCK_DGRAM, 0); + if (conn == -1) + errx(-1,"socket"); + if (sendto(conn, buf, sizeof(buf), 0, (struct sockaddr *)&un, + sizeof(un)) != sizeof(buf)) + errx(-1,"sendto"); + close(conn); + _exit(0); + } + + sleep(5); + + /* Make sure the data is there when we try to receive it. */ + if (recvfrom(s, (void *)-1, 1, 0, NULL, NULL) != -1) + errx(-1,"recvfrom succeeded when failure expected"); + + (void)signal(SIGALRM, handle_sigalrm); + if (setjmp(myjmpbuf) == 0) { + /* + * This recvfrom will panic an unpatched system, and block + * a patched one. + */ + alarm(5); + (void)recvfrom(s, (void *)-1, 1, 0, NULL, NULL); + } + + /* We should reach here via longjmp() and all should be well. */ + + return (0); +}