git: df07bfda67ad - main - tcp: Fix a locking issue

From: Michael Tuexen <tuexen_at_FreeBSD.org>
Date: Fri, 12 Nov 2021 21:14:01 UTC
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=df07bfda67adc889b900126e31babb37e9ecae90

commit df07bfda67adc889b900126e31babb37e9ecae90
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2021-11-12 21:08:18 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2021-11-12 21:13:50 +0000

    tcp: Fix a locking issue
    
    INP_WLOCK_RECHECK_CLEANUP() and INP_WLOCK_RECHECK() might return
    from the function, so any locks held must be released.
    
    Reported by:            syzbot+b1a888df08efaa7b4bf1@syzkaller.appspotmail.com
    Reviewed by:            markj
    Sponsored by:           Netflix, Inc.
    Differential Revision:  https://reviews.freebsd.org/D32975
---
 sys/netinet/tcp_usrreq.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index 4e03ad8ba095..968e102248d7 100644
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -2073,11 +2073,16 @@ no_mem_needed:
 			free(ptr, M_CC_MEM);
 		goto do_over;
 	}
-	if (ptr)  {
+	INP_WLOCK(inp);
+	if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
+		INP_WUNLOCK(inp);
+		CC_LIST_RUNLOCK();
+		free(ptr, M_CC_MEM);
+		return (ECONNRESET);
+	}
+	tp = intotcpcb(inp);
+	if (ptr != NULL)
 		memset(ptr, 0, mem_sz);
-		INP_WLOCK_RECHECK_CLEANUP(inp, free(ptr, M_CC_MEM));
-	} else
-		INP_WLOCK_RECHECK(inp);
 	CC_LIST_RUNLOCK();
 	cc_mem.ccvc.tcp = tp;
 	/*