From ac7b8e28062207a6d6db1b0bd95207755749fa7c Mon Sep 17 00:00:00 2001
From: Sepherosa Ziehau <sephe@dragonflybsd.org>
Date: Fri, 4 Dec 2015 10:20:40 +0800
Subject: [PATCH] socket: so_ref 0->1 transition is valid for an aborted socket
 on so_comp

Add comment about it.

Reported-by: marino@, dillon@
---
 sys/sys/socketvar2.h | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sys/sys/socketvar2.h b/sys/sys/socketvar2.h
index 97c611d759..880640d5c1 100644
--- a/sys/sys/socketvar2.h
+++ b/sys/sys/socketvar2.h
@@ -116,8 +116,13 @@ soclrstate(struct socket *so, short state)
 static __inline void
 soreference(struct socket *so)
 {
-	/* 0->1 transition will never work */
-	KASSERT(so->so_refs > 0, ("invalid so_refs %d", so->so_refs));
+	/*
+	 * 0 -> 1 transition will happen on an aborted
+	 * socket, which is left on the so_comp queue,
+	 * e.g. accept(2) the aborted socket, or when
+	 * the listen(2) socket owning the so_comp queue
+	 * is closed.
+	 */
 	atomic_add_int(&so->so_refs, 1);
 }
 
-- 
2.11.4.GIT