From nobody Fri Dec 12 12:49:39 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dSTn02QKKz6KrqJ
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Fri, 12 Dec 2025 12:49:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dSTmz6s4Hz3NJC
	for <dev-commits-src-all@FreeBSD.org>; Fri, 12 Dec 2025 12:49:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1765543780;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EEGNFzRpCTJBvXYg1lAHMAJt2oxQx9D8zQr9YvX2gZk=;
	b=WKO2wmXoH3Dq50NdcOzUwQhxa7x8f+lJ9jMmFCrR6VJZebQOCItC41u/ec4fu75cN2pgW4
	9HHuFv68eI8U915IoIzerrJOkdHIPkPwdBUjjhiQ+eXuk4+rhjQq/s4//E1jIpZ8HTrSyE
	dK/pcC36aRd/sHNz616IRnwikVV05Dcsx6iuiEV0WLDOBptgCz43nowhOtdf2E6YbSlNjr
	Mr3m3SSqMa99Rrdkfl7svAYmH7UyfP8cirHcaSKmOO/LPFBv3o0aB2tSYgjZ8ZrifB7WaN
	CawymOJdThbddM5AQyZF0HMDzGnawv8LzGnm+mVwABgxz5kWpAr/iZZsZ2lGvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1765543780;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EEGNFzRpCTJBvXYg1lAHMAJt2oxQx9D8zQr9YvX2gZk=;
	b=H4OqjR4Oj3ZJp/AI+RnOVd7EbG3UTCLHoFaFizLvtcLEE4X9G4cTzLdp9BLFmkv5yFMIrm
	jPuSuN5WL11byIcE0ijBaaK5w25pRTWNVxA7eYGKGNaCCsUcr17vHvJ+xLdd3q5WRJgflY
	4DqabqWNundYPISxo16KUdqG5VJTAYqN/13+Haj9oVJhA1piYoWvvzTjJgOhT6O7SZKpBZ
	9GvEcGKvPxKAvhGPs6GD238UCqWxxtJyDoGa/G/H1IYdHaw5oP30kKloVtZUupQoEWbS1g
	zWgzL3kw7CDp4gAmT0MdYpofaD4l3NZzmTAlUQHR0+N/fSCTJ+YflHAYTmlOXA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765543780; a=rsa-sha256; cv=none;
	b=XB1TP19xtbFUiKXhupnsSvIjcfCQ8xz2UFAV52vADOOvasDLv6V0ELJioR88ep0OSTBcU6
	Sn4w8q2HSTWSWM1WDSu/HK9jKKrhRLDtBFlg82PsTw08dC3ArnvvfNU21gU8n9z7tCMCEs
	s4AeP+h1+q6cFpTU7kBqmBxijBANHA6LZYKMufr9f5SD+mAVcyCbLJ5rpzFTjiHEHx/6fl
	Z+788P+GeI+m+u0vwEfguzSfGJY4yTBCe+1a9v7/QPRpJpAGdFfDjcsxZAS0eINhM1yqlk
	chq9yGxSKlzZHBGYGbFAMY5s1tUiIgeFUHpUI2luIrI9QX97F3JZ8tccZQir2w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dSTmz5hVWz2XN
	for <dev-commits-src-all@FreeBSD.org>; Fri, 12 Dec 2025 12:49:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 23f03
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Fri, 12 Dec 2025 12:49:39 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Andrew Gallatin <gallatin@FreeBSD.org>
Subject: git: f14ca373dde5 - stable/15 - splice: Fix leaks that can happen when initiating a splice
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: gallatin
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: f14ca373dde536fe4dbded3da328f79226fbbfa5
Auto-Submitted: auto-generated
Date: Fri, 12 Dec 2025 12:49:39 +0000
Message-Id: <693c0f63.23f03.176546f0@gitrepo.freebsd.org>

The branch stable/15 has been updated by gallatin:

URL: https://cgit.FreeBSD.org/src/commit/?id=f14ca373dde536fe4dbded3da328f79226fbbfa5

commit f14ca373dde536fe4dbded3da328f79226fbbfa5
Author:     Andrew Gallatin <gallatin@FreeBSD.org>
AuthorDate: 2025-12-09 21:06:20 +0000
Commit:     Andrew Gallatin <gallatin@FreeBSD.org>
CommitDate: 2025-12-12 12:43:33 +0000

    splice: Fix leaks that can happen when initiating a splice
    
    - change the state to SPLICE_EXCEPTION to allow so_unsplice() to work
      to cleanup failed splices (fixes socket reference leak)
    - NULL out sp->dst when unsplicing from so_splice() before so2 has been
       been referenced.
    - Deal with a null sp->dst / so2 in so_unsplice
    - Fix asserts that talked about sp->state == SPLICE_INIT; that state
      is not possible here.
    
    Differential Revision: https://reviews.freebsd.org/D54157
    Reviewed by: markj
    Sponsored by: Netflix
    Fixes: c0c5d01e5374 ("so_splice: Synchronize so_unsplice() with so_splice()")
    MFC after: 3 days
    
    (cherry picked from commit a837d1fe49e0255d81c670dc271ff245ae960097)
---
 sys/kern/uipc_socket.c | 44 +++++++++++++++++++++++++++-----------------
 1 file changed, 27 insertions(+), 17 deletions(-)

diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index 00aa5f9309b2..9eba3ad2e082 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -1726,6 +1726,10 @@ so_splice(struct socket *so, struct socket *so2, struct splice *splice)
 		error = EBUSY;
 	if (error != 0) {
 		SOCK_UNLOCK(so2);
+		mtx_lock(&sp->mtx);
+		sp->dst = NULL;
+		sp->state = SPLICE_EXCEPTION;
+		mtx_unlock(&sp->mtx);
 		so_unsplice(so, false);
 		return (error);
 	}
@@ -1733,6 +1737,10 @@ so_splice(struct socket *so, struct socket *so2, struct splice *splice)
 	if (so->so_snd.sb_tls_info != NULL) {
 		SOCK_SENDBUF_UNLOCK(so2);
 		SOCK_UNLOCK(so2);
+		mtx_lock(&sp->mtx);
+		sp->dst = NULL;
+		sp->state = SPLICE_EXCEPTION;
+		mtx_unlock(&sp->mtx);
 		so_unsplice(so, false);
 		return (EINVAL);
 	}
@@ -1799,20 +1807,20 @@ so_unsplice(struct socket *so, bool timeout)
 	SOCK_UNLOCK(so);
 
 	so2 = sp->dst;
-	SOCK_LOCK(so2);
-	KASSERT(!SOLISTENING(so2), ("%s: so2 is listening", __func__));
-	SOCK_SENDBUF_LOCK(so2);
-	KASSERT(sp->state == SPLICE_INIT ||
-	    (so2->so_snd.sb_flags & SB_SPLICED) != 0,
-	    ("%s: so2 is not spliced", __func__));
-	KASSERT(sp->state == SPLICE_INIT ||
-	    so2->so_splice_back == sp,
-	    ("%s: so_splice_back != sp", __func__));
-	so2->so_snd.sb_flags &= ~SB_SPLICED;
-	so2rele = so2->so_splice_back != NULL;
-	so2->so_splice_back = NULL;
-	SOCK_SENDBUF_UNLOCK(so2);
-	SOCK_UNLOCK(so2);
+	if (so2 != NULL) {
+		SOCK_LOCK(so2);
+		KASSERT(!SOLISTENING(so2), ("%s: so2 is listening", __func__));
+		SOCK_SENDBUF_LOCK(so2);
+		KASSERT((so2->so_snd.sb_flags & SB_SPLICED) != 0,
+		    ("%s: so2 is not spliced", __func__));
+		KASSERT(so2->so_splice_back == sp,
+		    ("%s: so_splice_back != sp", __func__));
+		so2->so_snd.sb_flags &= ~SB_SPLICED;
+		so2rele = so2->so_splice_back != NULL;
+		so2->so_splice_back = NULL;
+		SOCK_SENDBUF_UNLOCK(so2);
+		SOCK_UNLOCK(so2);
+	}
 
 	/*
 	 * No new work is being enqueued.  The worker thread might be
@@ -1852,9 +1860,11 @@ so_unsplice(struct socket *so, bool timeout)
 	sorwakeup(so);
 	CURVNET_SET(so->so_vnet);
 	sorele(so);
-	sowwakeup(so2);
-	if (so2rele)
-		sorele(so2);
+	if (so2 != NULL) {
+		sowwakeup(so2);
+		if (so2rele)
+			sorele(so2);
+	}
 	CURVNET_RESTORE();
 	so_splice_free(sp);
 	return (0);