Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 20 Sep 2021 13:55:37 GMT
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 34b1efcea19d - main - sctp: use a valid outstream when adding it to the scheduler
Message-ID:  <202109201355.18KDtb4r099981@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=34b1efcea19dd4324eecd19d2de313d039fd9656

commit 34b1efcea19dd4324eecd19d2de313d039fd9656
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2021-09-20 13:52:10 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2021-09-20 13:52:10 +0000

    sctp: use a valid outstream when adding it to the scheduler
    
    Without holding the stcb send lock, the outstreams might get
    reallocated if the number of streams are increased.
    
    Reported by:    syzbot+4a5431d7caa666f2c19c@syzkaller.appspotmail.com
    Reported by:    syzbot+aa2e3b013a48870e193d@syzkaller.appspotmail.com
    Reported by:    syzbot+e4368c3bde07cd2fb29f@syzkaller.appspotmail.com
    Reported by:    syzbot+fe2f110e34811ea91690@syzkaller.appspotmail.com
    Reported by:    syzbot+ed6e8de942351d0309f4@syzkaller.appspotmail.com
    MFC after:      1 week
---
 sys/netinet/sctp_output.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
index 35a834438895..434ab7e1f8dc 100644
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -6337,7 +6337,6 @@ sctp_msg_append(struct sctp_tcb *stcb,
 		error = EINVAL;
 		goto out_now;
 	}
-	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
 	/* Now can we send this? */
 	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) ||
 	    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
@@ -6396,6 +6395,7 @@ sctp_msg_append(struct sctp_tcb *stcb,
 	if (hold_stcb_lock == 0) {
 		SCTP_TCB_SEND_LOCK(stcb);
 	}
+	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
 	sctp_snd_sb_alloc(stcb, sp->length);
 	atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
 	TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
@@ -13137,6 +13137,8 @@ skip_preblock:
 				goto out;
 			}
 			SCTP_TCB_SEND_LOCK(stcb);
+			/* The out streams might be reallocated. */
+			strm = &stcb->asoc.strmout[srcv->sinfo_stream];
 			if (sp->msg_is_complete) {
 				strm->last_msg_incomplete = 0;
 				asoc->stream_locked = 0;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109201355.18KDtb4r099981>