Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Oct 2025 20:47:21 GMT
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 4548b9f3a816 - main - unix/stream: plug a corner case when control externalization failed
Message-ID:  <202510152047.59FKlL5b081751@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by glebius:

URL: https://cgit.FreeBSD.org/src/commit/?id=4548b9f3a8167a340a5086ed51a76d932c9ab3cc

commit 4548b9f3a8167a340a5086ed51a76d932c9ab3cc
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2025-10-15 20:01:25 +0000
Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2025-10-15 20:47:11 +0000

    unix/stream: plug a corner case when control externalization failed
    
    while peer has closed its end.
    
    Reported by:    syzbot+ffcc3612ea266e36604e@syzkaller.appspotmail.com
---
 sys/kern/uipc_usrreq.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index c5fc1e84ce3f..90489e99491a 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1559,15 +1559,19 @@ restart:
 				mc_init_m(&cmc, control);
 
 				SOCK_RECVBUF_LOCK(so);
-				MPASS(!(sb->sb_state & SBS_CANTRCVMORE));
-
-				if (__predict_false(cmc.mc_len + sb->sb_ccc +
-				    sb->sb_ctl > sb->sb_hiwat)) {
+				if (__predict_false(
+				    (sb->sb_state & SBS_CANTRCVMORE) ||
+				    cmc.mc_len + sb->sb_ccc + sb->sb_ctl >
+				    sb->sb_hiwat)) {
 					/*
-					 * Too bad, while unp_externalize() was
-					 * failing, the other side had filled
-					 * the buffer and we can't prepend data
-					 * back. Losing data!
+					 * While the lock was dropped and we
+					 * were failing in unp_externalize(),
+					 * the peer could has a) disconnected,
+					 * b) filled the buffer so that we
+					 * can't prepend data back.
+					 * These are two edge conditions that
+					 * we just can't handle, so lose the
+					 * data and return the error.
 					 */
 					SOCK_RECVBUF_UNLOCK(so);
 					SOCK_IO_RECV_UNLOCK(so);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510152047.59FKlL5b081751>