Date: Fri, 12 Nov 2021 21:14:01 GMT From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: df07bfda67ad - main - tcp: Fix a locking issue Message-ID: <202111122114.1ACLE13J015890@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=df07bfda67adc889b900126e31babb37e9ecae90 commit df07bfda67adc889b900126e31babb37e9ecae90 Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2021-11-12 21:08:18 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2021-11-12 21:13:50 +0000 tcp: Fix a locking issue INP_WLOCK_RECHECK_CLEANUP() and INP_WLOCK_RECHECK() might return from the function, so any locks held must be released. Reported by: syzbot+b1a888df08efaa7b4bf1@syzkaller.appspotmail.com Reviewed by: markj Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D32975 --- sys/netinet/tcp_usrreq.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 4e03ad8ba095..968e102248d7 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -2073,11 +2073,16 @@ no_mem_needed: free(ptr, M_CC_MEM); goto do_over; } - if (ptr) { + INP_WLOCK(inp); + if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) { + INP_WUNLOCK(inp); + CC_LIST_RUNLOCK(); + free(ptr, M_CC_MEM); + return (ECONNRESET); + } + tp = intotcpcb(inp); + if (ptr != NULL) memset(ptr, 0, mem_sz); - INP_WLOCK_RECHECK_CLEANUP(inp, free(ptr, M_CC_MEM)); - } else - INP_WLOCK_RECHECK(inp); CC_LIST_RUNLOCK(); cc_mem.ccvc.tcp = tp; /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202111122114.1ACLE13J015890>