git: df07bfda67ad - main - tcp: Fix a locking issue
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 12 Nov 2021 21:14:01 UTC
The branch main has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=df07bfda67adc889b900126e31babb37e9ecae90 commit df07bfda67adc889b900126e31babb37e9ecae90 Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2021-11-12 21:08:18 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2021-11-12 21:13:50 +0000 tcp: Fix a locking issue INP_WLOCK_RECHECK_CLEANUP() and INP_WLOCK_RECHECK() might return from the function, so any locks held must be released. Reported by: syzbot+b1a888df08efaa7b4bf1@syzkaller.appspotmail.com Reviewed by: markj Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D32975 --- sys/netinet/tcp_usrreq.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 4e03ad8ba095..968e102248d7 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -2073,11 +2073,16 @@ no_mem_needed: free(ptr, M_CC_MEM); goto do_over; } - if (ptr) { + INP_WLOCK(inp); + if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) { + INP_WUNLOCK(inp); + CC_LIST_RUNLOCK(); + free(ptr, M_CC_MEM); + return (ECONNRESET); + } + tp = intotcpcb(inp); + if (ptr != NULL) memset(ptr, 0, mem_sz); - INP_WLOCK_RECHECK_CLEANUP(inp, free(ptr, M_CC_MEM)); - } else - INP_WLOCK_RECHECK(inp); CC_LIST_RUNLOCK(); cc_mem.ccvc.tcp = tp; /*