git: 947d455fe545 - stable/13 - sctp: further improve shutting down the read side of a socket

From: Michael Tuexen <tuexen_at_FreeBSD.org>
Date: Thu, 11 Jan 2024 13:00:02 UTC
The branch stable/13 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=947d455fe545687a4cadb4d87c6a2139ca73b6c9

commit 947d455fe545687a4cadb4d87c6a2139ca73b6c9
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2023-09-13 11:02:51 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-01-11 12:59:04 +0000

    sctp: further improve shutting down the read side of a socket
    
    Deal with the case that the association is already gone.
    
    Reported by:    syzbot+e256d42e9b390564530a@syzkaller.appspotmail.com
    
    (cherry picked from commit bb56b36d7188e004840294d0bd5dfdf7f3392a05)
---
 sys/netinet/sctp_usrreq.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c
index 9f1a33b5ff2a..3289d86ba831 100644
--- a/sys/netinet/sctp_usrreq.c
+++ b/sys/netinet/sctp_usrreq.c
@@ -818,11 +818,9 @@ sctp_flush(struct socket *so, int how)
 		return (0);
 	}
 	stcb = LIST_FIRST(&inp->sctp_asoc_list);
-	if (stcb == NULL) {
-		SCTP_INP_WUNLOCK(inp);
-		return (ENOTCONN);
+	if (stcb != NULL) {
+		SCTP_TCB_LOCK(stcb);
 	}
-	SCTP_TCB_LOCK(stcb);
 	SCTP_INP_READ_LOCK(inp);
 	inp->sctp_flags |= SCTP_PCB_FLAGS_SOCKET_CANT_READ;
 	SOCK_LOCK(so);
@@ -848,7 +846,7 @@ sctp_flush(struct socket *so, int how)
 	}
 	SOCK_UNLOCK(so);
 	SCTP_INP_READ_UNLOCK(inp);
-	if (need_to_abort) {
+	if (need_to_abort && (stcb != NULL)) {
 		inp->last_abort_code = SCTP_FROM_SCTP_USRREQ + SCTP_LOC_6;
 		SCTP_INP_WUNLOCK(inp);
 		op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
@@ -857,7 +855,9 @@ sctp_flush(struct socket *so, int how)
 		NET_EPOCH_EXIT(et);
 		return (ECONNABORTED);
 	}
-	SCTP_TCB_UNLOCK(stcb);
+	if (stcb != NULL) {
+		SCTP_TCB_UNLOCK(stcb);
+	}
 	SCTP_INP_WUNLOCK(inp);
 	return (0);
 }