git: 1b91978f6375 - main - tcp: remove a condition in tcp_usr_detach() that never happens
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 07 Jul 2022 04:10:39 UTC
The branch main has been updated by glebius:
URL: https://cgit.FreeBSD.org/src/commit/?id=1b91978f6375023b00c7d2b49a778765ce4ee6b8
commit 1b91978f6375023b00c7d2b49a778765ce4ee6b8
Author: Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2022-07-07 04:09:45 +0000
Commit: Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2022-07-07 04:09:45 +0000
tcp: remove a condition in tcp_usr_detach() that never happens
The comment from Robert Watson doubts that this condition ever happens.
Our analysis confirm that. Also, we found that if you manage to create
such a connection with help of some other bug, then after the "second
case" code is executed, the kernel will panic in other part of the stack.
Reviewed by: rrs, tuexen
Differential revision: https://reviews.freebsd.org/D35714
---
sys/netinet/tcp_usrreq.c | 24 ++++++++----------------
1 file changed, 8 insertions(+), 16 deletions(-)
diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index cdeb2cbcd98e..158ed5d9658c 100644
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -272,23 +272,15 @@ tcp_usr_detach(struct socket *so)
}
} else {
/*
- * If the connection is not in timewait, we consider two
- * two conditions: one in which no further processing is
- * necessary (dropped || embryonic), and one in which TCP is
- * not yet done, but no longer requires the socket, so the
- * pcb will persist for the time being.
- *
- * XXXRW: Does the second case still occur?
+ * If the connection is not in timewait, it must be either
+ * dropped or embryonic.
*/
- if (inp->inp_flags & INP_DROPPED ||
- tp->t_state < TCPS_SYN_SENT) {
- tcp_discardcb(tp);
- in_pcbdetach(inp);
- in_pcbfree(inp);
- } else {
- in_pcbdetach(inp);
- INP_WUNLOCK(inp);
- }
+ KASSERT(inp->inp_flags & INP_DROPPED ||
+ tp->t_state < TCPS_SYN_SENT,
+ ("%s: inp %p not dropped or embryonic", __func__, inp));
+ tcp_discardcb(tp);
+ in_pcbdetach(inp);
+ in_pcbfree(inp);
}
}