| commit | f0a99adbb6ef06d02f705b68e3a9064342318fde | |
| author | Matthew Dillon <dillon@dragonflybsd.org> | |
| Wed, 4 Jul 2007 23:36:26 +0000 (4 23:36 +0000) | ||
| committer | Matthew Dillon <dillon@dragonflybsd.org> | |
| Wed, 4 Jul 2007 23:36:26 +0000 (4 23:36 +0000) | ||
| tree | eb4d6fd12370c635ec0ee8182e2b267f0512a7bf | treesnapshot (tar.gz zip) |
| parent | 78d39cab84f7b233f97bc3dba296f6084846dc35 | commitdiff |
Fix an insufficient test of the message flags when determining whether
an abortable request has already completed or not.
Abort requests are sent to the same port as the original message which
means that the original message will have been processes and either replied
to or queued before the abort message is acted upon. However, when an
abort message is replied the MSGF_DONE bit is *NOT* set until the reply
reaches the reply port, potentially requiring an IPI.
This can lead to a race where the code processing an abort request
incorrectly determines that the message has not yet been replied when in
fact it has, leading to a double-reply and a panic.
The solution is to test the MSGF_REPLY bit, which is set by the target
cpu (the one processing the original message) when replying to the message
prior to issuing any IPI.
Reported-by: Peter Avalos <pavalos@crater.dragonflybsd.org>
Dragonfly-bug: <http://bugs.dragonflybsd.org/issue717>
an abortable request has already completed or not.
Abort requests are sent to the same port as the original message which
means that the original message will have been processes and either replied
to or queued before the abort message is acted upon. However, when an
abort message is replied the MSGF_DONE bit is *NOT* set until the reply
reaches the reply port, potentially requiring an IPI.
This can lead to a race where the code processing an abort request
incorrectly determines that the message has not yet been replied when in
fact it has, leading to a double-reply and a panic.
The solution is to test the MSGF_REPLY bit, which is set by the target
cpu (the one processing the original message) when replying to the message
prior to issuing any IPI.
Reported-by: Peter Avalos <pavalos@crater.dragonflybsd.org>
Dragonfly-bug: <http://bugs.dragonflybsd.org/issue717>
| sys/kern/uipc_msg.c | diffblobblamehistory |