On 11/09/2021 21:40, Mark Johnston wrote:
On Sat, Sep 11, 2021 at 09:25:42PM +0300, Andriy Gapon wrote:So, this is what I've got: diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c index e53b0367960b..11ee03703407 100644 --- a/sys/kern/sys_socket.c +++ b/sys/kern/sys_socket.c @@ -210,7 +210,12 @@ soo_ioctl(struct file *fp, u_long cmd, void *data, struct ucred *active_cred, if (SOLISTENING(so)) { error = EINVAL; } else { - *(int *)data = sbavail(&so->so_rcv); + struct sockbuf *sb; + + sb = &so->so_rcv; + SOCKBUF_LOCK(sb); + *(int *)data = sbavail(sb) - sb->sb_ctl; + SOCKBUF_UNLOCK(sb); } break;It should use SOCK_RECVBUF_LOCK() (see https://cgit.freebsd.org/src/commit/?id=74a68313b503940158a2e8e8f02626d7cdbdaff9 ): sb = &so->so_rcv; SOCK_RECVBUF_LOCK(so); if (SOLISTENING(so)) error = EINVAL; else *(int *)data = sbavail(sb) - sb->sb_ctl; SOCK_RECVBUF_UNLOCK(so); Otherwise a concurrent listen(2) will clobber the pointer used by SOCKBUF_LOCK().
Oh, I see now. I haven't pulled that version yet, so I could not find SOCK_RECVBUF_LOCK in my tree :-)
Since you have the change and you did all the thinking work anyway, could you please commit it?
Thanks! -- Andriy Gapon
