From ups@tree.com  Tue Aug  3 02:13:37 2004
Return-Path: <ups@tree.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 38F4E16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  3 Aug 2004 02:13:37 +0000 (GMT)
Received: from duchess.speedfactory.net (duchess.speedfactory.net [66.23.201.84])
	by mx1.FreeBSD.org (Postfix) with SMTP id A5B0543D48
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  3 Aug 2004 02:13:34 +0000 (GMT)
	(envelope-from ups@tree.com)
Received: (qmail 17953 invoked by uid 89); 3 Aug 2004 02:13:29 -0000
Received: from duchess.speedfactory.net (66.23.201.84)
  by duchess.speedfactory.net with SMTP; 3 Aug 2004 02:13:29 -0000
Received: (qmail 17938 invoked by uid 89); 3 Aug 2004 02:13:29 -0000
Received: from unknown (HELO palm.tree.com) (66.23.216.49)
  by duchess.speedfactory.net with SMTP; 3 Aug 2004 02:13:29 -0000
Received: from palm.tree.com (localhost.tree.com [127.0.0.1])
	by palm.tree.com (8.12.10/8.12.10) with ESMTP id i732DSfY097395
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 2 Aug 2004 22:13:28 -0400 (EDT)
	(envelope-from ups@palm.tree.com)
Received: (from ups@localhost)
	by palm.tree.com (8.12.10/8.12.10/Submit) id i732DSxH097394;
	Mon, 2 Aug 2004 22:13:28 -0400 (EDT)
	(envelope-from ups)
Message-Id: <200408030213.i732DSxH097394@palm.tree.com>
Date: Mon, 2 Aug 2004 22:13:28 -0400 (EDT)
From: Stephan Uphoff <ups@tree.com>
Reply-To: Stephan Uphoff <ups@tree.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: lockmgr can concurrently grant two exclusive locks
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         69934
>Category:       kern
>Synopsis:       lockmgr can concurrently grant two exclusive locks
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kan
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 03 02:20:23 GMT 2004
>Closed-Date:    Mon Jun 27 23:06:12 GMT 2005
>Last-Modified:  Mon Jun 27 23:06:12 GMT 2005
>Originator:     Stephan Uphoff
>Release:        FreeBSD 5.2.1-RELEASE-p5 i386
>Organization:
>Environment:
System: FreeBSD palm.tree.com 5.2.1-RELEASE-p5 FreeBSD 5.2.1-RELEASE-p5 #2: Fri May 7 20:06:27 EDT 2004 ups@palm.tree.com:/usr/obj/usr/src/sys/PALM i386


	
>Description:
Upgrading a lock does not play well together with acquiring
an exclusive lock and can lead to two threads being
granted exclusive access.

Problematic sequence:
Thread A acquires a previous unlocked lock in shared mode.
Thread B tries to acquire the same lock in exclusive mode
and blocks.
Thread A upgrades its lock - waking up thread B.
Thread B wakes up and also acquires the same lock as it only checks
if the lock is not shared or if someone wants to upgrade the lock
and not if someone already upgraded the lock to an exclusive lock.


>How-To-Repeat:
	
>Fix:

Minimal patch:
--------------

diff -u -r1.73 kern_lock.c
--- kern_lock.c	23 Jul 2004 20:12:56 -0000	1.73
+++ kern_lock.c	3 Aug 2004 01:38:07 -0000
@@ -389,7 +389,7 @@
 		/*
 		 * Wait for shared locks and upgrades to finish.
 		 */
-		error = acquire(&lkp, extflags, LK_WANT_UPGRADE | LK_SHARE_NONZERO);
+		error = acquire(&lkp, extflags, LK_HAVE_EXCL | LK_WANT_UPGRADE | LK_SHARE_NONZERO);
 		lkp->lk_flags &= ~LK_WANT_EXCL;
 		if (error)
 			break;


Better Patch:
-------------

diff -u -r1.73 kern_lock.c
--- kern_lock.c	23 Jul 2004 20:12:56 -0000	1.73
+++ kern_lock.c	3 Aug 2004 01:51:34 -0000
@@ -382,14 +382,14 @@
 		/*
 		 * Try to acquire the want_exclusive flag.
 		 */
-		error = acquire(&lkp, extflags, (LK_HAVE_EXCL | LK_WANT_EXCL));
+		error = acquire(&lkp, extflags,  LK_WANT_EXCL);
 		if (error)
 			break;
 		lkp->lk_flags |= LK_WANT_EXCL;
 		/*
 		 * Wait for shared locks and upgrades to finish.
 		 */
-		error = acquire(&lkp, extflags, LK_WANT_UPGRADE | LK_SHARE_NONZERO);
+		error = acquire(&lkp, extflags, LK_HAVE_EXCL | LK_WANT_UPGRADE | LK_SHARE_NONZERO);
 		lkp->lk_flags &= ~LK_WANT_EXCL;
 		if (error)
 			break;
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->kan 
Responsible-Changed-By: kan 
Responsible-Changed-When: Wed Aug 4 03:30:26 GMT 2004 
Responsible-Changed-Why:  
Grab this PR too. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=69934 
State-Changed-From-To: open->closed 
State-Changed-By: kan 
State-Changed-When: Mon Jun 27 23:05:00 GMT 2005 
State-Changed-Why:  
The patch was committed to pre-releng5 -current a while ago. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=69934 
>Unformatted:
