Skip to content

Possible race in TCP accepting vs quota

There's a possibility of a race in TCP accepting code:

  1. T1 accepts a connection C1
  2. T2 accepts a connection C2
  3. T1 tries to accept a connection C3, but we hit a quota, isc_quota_cb_init() sets quota_accept_cb for the socket, we return from accept_connection
  4. T2 drops C2, but we race in quota_release with accepting C3 so we don't see quota->waiting is > 0, we don't launch the callback
  5. T1 accepts a connection C4, we are able to get the quota we clear the quota_accept_cb from sock->quotacb
  6. T1 drops C1, tries to call the callback which is zeroed, sigsegv.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information