2022-07-26 20:18:34

by Attila Kovacs

[permalink] [raw]
Subject: [PATCH] SUNRPC: mutexed access blacklist_read state variable.

From: Attila Kovacs <[email protected]>

bindresvport()_sa(), in bidresvport.c checks blacklist_read w/o mutex
before calling load_blacklist() which changes blacklist_read() also
unmutexed.

Clearly, the point is to read the blacklist only once on the first call,
but because the checking whether the blacklist is loaded is not mutexed,
more than one thread may race to load the blacklist concurrently, which
of course can jumble the list because of the race condition.

The fix simply moves the checking within the mutexed aread of the code
to eliminate the race condition.

---
src/bindresvport.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/bindresvport.c b/src/bindresvport.c
index ef9b345..5c0ddcf 100644
--- a/src/bindresvport.c
+++ b/src/bindresvport.c
@@ -164,10 +164,11 @@ bindresvport_sa(sd, sa)
int endport = ENDPORT;
int i;

+ mutex_lock(&port_lock);
+
if (!blacklist_read)
load_blacklist();

- mutex_lock(&port_lock);
nports = ENDPORT - startport + 1;

if (sa == NULL) {
--
2.37.1


2022-07-28 13:29:02

by Steve Dickson

[permalink] [raw]
Subject: Re: [PATCH] SUNRPC: mutexed access blacklist_read state variable.



On 7/26/22 4:12 PM, Attila Kovacs wrote:
> From: Attila Kovacs <[email protected]>
>
> bindresvport()_sa(), in bidresvport.c checks blacklist_read w/o mutex
> before calling load_blacklist() which changes blacklist_read() also
> unmutexed.
>
> Clearly, the point is to read the blacklist only once on the first call,
> but because the checking whether the blacklist is loaded is not mutexed,
> more than one thread may race to load the blacklist concurrently, which
> of course can jumble the list because of the race condition.
>
> The fix simply moves the checking within the mutexed aread of the code
> to eliminate the race condition.
Committed (tag: libtirpc-1-3-3-rc4)

steved.
>
> ---
> src/bindresvport.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/bindresvport.c b/src/bindresvport.c
> index ef9b345..5c0ddcf 100644
> --- a/src/bindresvport.c
> +++ b/src/bindresvport.c
> @@ -164,10 +164,11 @@ bindresvport_sa(sd, sa)
> int endport = ENDPORT;
> int i;
>
> + mutex_lock(&port_lock);
> +
> if (!blacklist_read)
> load_blacklist();
>
> - mutex_lock(&port_lock);
> nports = ENDPORT - startport + 1;
>
> if (sa == NULL) {