From: Rainer Toebbicke <rtb@pclella.cern.ch>
Date: Wed, 2 Jun 2004 03:49:28 +0000 (+0000)
Subject: rx-protect-queue-during-debug-20040601
X-Git-Tag: openafs-devel-1_3_65~85
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=8d442bea4f760366b0c2bb2053e0ebf6ffa3d5c6;p=packages%2Fo%2Fopenafs.git

rx-protect-queue-during-debug-20040601

FIXES 4811

"in rx_packet.c:rxi_ReceiveDebugPacket() the rx_idleServerQueue is
scanned without taking a lock first.

The queue_Remove macro zeroes the ->next field (luckily), but this can
lead to a crash when Murphy strikes and the entry gets removed during
the scan: queue_Scan will dereference 0x0 -> next.
"
---

diff --git a/src/rx/rx_packet.c b/src/rx/rx_packet.c
index 12822bfa8..682af9354 100644
--- a/src/rx/rx_packet.c
+++ b/src/rx/rx_packet.c
@@ -1154,6 +1154,7 @@ rxi_ReceiveDebugPacket(register struct rx_packet *ap, osi_socket asocket,
 #ifndef	RX_ENABLE_LOCKS
 	    tstat.waitingForPackets = rx_waitingForPackets;
 #endif
+	    MUTEX_ENTER(&rx_serverPool_lock);
 	    tstat.nFreePackets = htonl(rx_nFreePackets);
 	    tstat.callsExecuted = htonl(rxi_nCalls);
 	    tstat.packetReclaims = htonl(rx_packetReclaims);
@@ -1161,6 +1162,7 @@ rxi_ReceiveDebugPacket(register struct rx_packet *ap, osi_socket asocket,
 	    tstat.nWaiting = htonl(rx_nWaiting);
 	    queue_Count(&rx_idleServerQueue, np, nqe, rx_serverQueueEntry,
 			tstat.idleThreads);
+	    MUTEX_EXIT(&rx_serverPool_lock);
 	    tstat.idleThreads = htonl(tstat.idleThreads);
 	    tl = sizeof(struct rx_debugStats) - ap->length;
 	    if (tl > 0)