Re: List corruption on epoll_ctl(EPOLL_CTL_DEL) an AF_UNIX socket

List corruption on epoll_ctl(EPOLL_CTL_DEL) an AF_UNIX socket · Mathias Krause <hidden> · 2015-09-13
Re: List corruption on epoll_ctl(EPOLL_CTL_DEL) an AF_UNIX socket · Eric Wong <hidden> · 2015-09-14
Re: List corruption on epoll_ctl(EPOLL_CTL_DEL) an AF_UNIX socket · Mathias Krause <hidden> · 2015-09-29
Re: List corruption on epoll_ctl(EPOLL_CTL_DEL) an AF_UNIX socket · Jason Baron <jbaron@akamai.com> · 2015-09-29
Re: List corruption on epoll_ctl(EPOLL_CTL_DEL) an AF_UNIX socket · Mathias Krause <hidden> · 2015-09-30
Re: List corruption on epoll_ctl(EPOLL_CTL_DEL) an AF_UNIX socket · Michal Kubecek <hidden> · 2015-09-30
Re: List corruption on epoll_ctl(EPOLL_CTL_DEL) an AF_UNIX socket · Jason Baron <jbaron@akamai.com> · 2015-10-01
Re: List corruption on epoll_ctl(EPOLL_CTL_DEL) an AF_UNIX socket · Jason Baron <jbaron@akamai.com> · 2015-10-01

From: Jason Baron <jbaron@akamai.com>
Date: 2015-10-01 02:40:07
Also in: lkml

On 09/30/2015 01:54 AM, Mathias Krause wrote:

On 29 September 2015 at 21:09, Jason Baron [off-list ref] wrote:

quoted

However, if we call connect on socket 's', to connect to a new socket 'o2', we
drop the reference on the original socket 'o'. Thus, we can now close socket
'o' without unregistering from epoll. Then, when we either close the ep
or unregister 'o', we end up with this list corruption. Thus, this is not a
race per se, but can be triggered sequentially.

Sounds profound, but the reproducers calls connect only once per
socket. So there is no "connect to a new socket", no?
But w/e, see below.

Yes, but it can be reproduced this way too. It can also happen with a
close() on the remote peer 'o', and a send to 'o' from 's', which the
reproducer can do as pointed out Michal. The patch I sent deals with
both cases.

Thanks,

-Jason

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help