git: 3dc57df91e65 - main - sctp: don't wakeup 1-to-1 listening sockets for data or notifications

From: Michael Tuexen <tuexen_at_FreeBSD.org>
Date: Sat, 16 Apr 2022 17:45:21 UTC
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=3dc57df91e65acf9abfbb437110845f380a8b312

commit 3dc57df91e65acf9abfbb437110845f380a8b312
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2022-04-16 17:42:27 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2022-04-16 17:42:27 +0000

    sctp: don't wakeup 1-to-1 listening sockets for data or notifications
    
    Reported by:    syzbot+ec9279d306a4ff0215f8@syzkaller.appspotmail.com
    Reported by:    syzbot+31d54f6d486333493dd4@syzkaller.appspotmail.com
    MFC after:      3 days
---
 sys/netinet/sctp_usrreq.c | 10 ++++------
 sys/netinet/sctputil.c    |  5 ++++-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c
index 87fef518b9e8..65341796d197 100644
--- a/sys/netinet/sctp_usrreq.c
+++ b/sys/netinet/sctp_usrreq.c
@@ -5076,9 +5076,7 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize,
 			} else {
 				sctp_feature_off(inp, SCTP_PCB_FLAGS_STREAM_RESETEVNT);
 			}
-			SCTP_INP_WUNLOCK(inp);
 
-			SCTP_INP_RLOCK(inp);
 			LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
 				SCTP_TCB_LOCK(stcb);
 				if (events->sctp_association_event) {
@@ -5138,10 +5136,10 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize,
 			 * style sockets.
 			 */
 			if (events->sctp_sender_dry_event) {
-				if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
-				    (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
+				if (((stcb->sctp_ep->sctp_flags & (SCTP_PCB_FLAGS_TCPTYPE | SCTP_PCB_FLAGS_IN_TCPPOOL)) != 0) &&
+				    !SCTP_IS_LISTENING(inp)) {
 					stcb = LIST_FIRST(&inp->sctp_asoc_list);
-					if (stcb) {
+					if (stcb != NULL) {
 						SCTP_TCB_LOCK(stcb);
 						if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
 						    TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
@@ -5152,7 +5150,7 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize,
 					}
 				}
 			}
-			SCTP_INP_RUNLOCK(inp);
+			SCTP_INP_WUNLOCK(inp);
 			break;
 		}
 	case SCTP_ADAPTATION_LAYER:
diff --git a/sys/netinet/sctputil.c b/sys/netinet/sctputil.c
index 7b82a2ce6d86..6c62a083458f 100644
--- a/sys/netinet/sctputil.c
+++ b/sys/netinet/sctputil.c
@@ -4836,7 +4836,10 @@ sctp_wakeup_the_read_socket(struct sctp_inpcb *inp,
     SCTP_UNUSED
 )
 {
-	if ((inp != NULL) && (inp->sctp_socket != NULL)) {
+	if ((inp != NULL) &&
+	    (inp->sctp_socket != NULL) &&
+	    (((stcb->sctp_ep->sctp_flags & (SCTP_PCB_FLAGS_TCPTYPE | SCTP_PCB_FLAGS_IN_TCPPOOL)) == 0) ||
+	    !SCTP_IS_LISTENING(inp))) {
 		sctp_sorwakeup(inp, inp->sctp_socket);
 	}
 }