From: Rainer Toebbicke <rtb@pclella.cern.ch>
Date: Mon, 18 Oct 2004 06:12:45 +0000 (+0000)
Subject: STABLE12-rx-protect-queue-during-debug-20040601
X-Git-Tag: openafs-stable-1_2_12~14
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=f7ccd84bbd306f5af9055e5ca88dbbc25ce36192;p=packages%2Fo%2Fopenafs.git

STABLE12-rx-protect-queue-during-debug-20040601

FIXES 4811

"in rx_packet.c:rxi_ReceiveDebugPacket() the rx_idleServerQueue is
scanned without taking a lock first.

The queue_Remove macro zeroes the ->next field (luckily), but this can
lead to a crash when Murphy strikes and the entry gets removed during
the scan: queue_Scan will dereference 0x0 -> next.
"


(cherry picked from commit 8d442bea4f760366b0c2bb2053e0ebf6ffa3d5c6)
---

diff --git a/src/rx/rx_packet.c b/src/rx/rx_packet.c
index 6f2034b3b..4276f9d90 100644
--- a/src/rx/rx_packet.c
+++ b/src/rx/rx_packet.c
@@ -1142,6 +1142,7 @@ struct rx_packet *rxi_ReceiveDebugPacket(ap, asocket, ahost, aport, istack)
 #ifndef	RX_ENABLE_LOCKS
 	    tstat.waitingForPackets = rx_waitingForPackets;
 #endif
+	    MUTEX_ENTER(&rx_serverPool_lock);
 	    tstat.nFreePackets = htonl(rx_nFreePackets);
 	    tstat.callsExecuted = htonl(rxi_nCalls);
 	    tstat.packetReclaims = htonl(rx_packetReclaims);
@@ -1149,6 +1150,7 @@ struct rx_packet *rxi_ReceiveDebugPacket(ap, asocket, ahost, aport, istack)
 	    tstat.nWaiting = htonl(rx_nWaiting);
 	    queue_Count( &rx_idleServerQueue, np, nqe, 
 				rx_serverQueueEntry, tstat.idleThreads); 
+	    MUTEX_EXIT(&rx_serverPool_lock);
 	    tstat.idleThreads = htonl(tstat.idleThreads);
 	    tl = sizeof(struct rx_debugStats) - ap->length;
 	    if (tl > 0)