Re: git: 4548b9f3a816 - main - unix/stream: plug a corner case when control externalization failed

Reply: Gleb Smirnoff : "Re: git: 4548b9f3a816 - main - unix/stream: plug a corner case when control externalization failed"
In reply to: Gleb Smirnoff : "git: 4548b9f3a816 - main - unix/stream: plug a corner case when control externalization failed"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Mark Johnston <markj_at_freebsd.org>
Date: Thu, 16 Oct 2025 13:18:47 UTC

On Wed, Oct 15, 2025 at 08:47:21PM +0000, Gleb Smirnoff wrote:
> The branch main has been updated by glebius:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=4548b9f3a8167a340a5086ed51a76d932c9ab3cc
> 
> commit 4548b9f3a8167a340a5086ed51a76d932c9ab3cc
> Author:     Gleb Smirnoff <glebius@FreeBSD.org>
> AuthorDate: 2025-10-15 20:01:25 +0000
> Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
> CommitDate: 2025-10-15 20:47:11 +0000
> 
>     unix/stream: plug a corner case when control externalization failed
>     
>     while peer has closed its end.
>     
>     Reported by:    syzbot+ffcc3612ea266e36604e@syzkaller.appspotmail.com

Shouldn't this be MFCed?

Could you please be sure to add Fixes tags to such commits?  It becomes
much easier to find missing MFCs with that metadata available.  A few of
us have discussed using git notes to encode such info after the fact,
but this is not available yet.

> ---
>  sys/kern/uipc_usrreq.c | 20 ++++++++++++--------
>  1 file changed, 12 insertions(+), 8 deletions(-)
> 
> diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
> index c5fc1e84ce3f..90489e99491a 100644
> --- a/sys/kern/uipc_usrreq.c
> +++ b/sys/kern/uipc_usrreq.c
> @@ -1559,15 +1559,19 @@ restart:
>  				mc_init_m(&cmc, control);
>  
>  				SOCK_RECVBUF_LOCK(so);
> -				MPASS(!(sb->sb_state & SBS_CANTRCVMORE));
> -
> -				if (__predict_false(cmc.mc_len + sb->sb_ccc +
> -				    sb->sb_ctl > sb->sb_hiwat)) {
> +				if (__predict_false(
> +				    (sb->sb_state & SBS_CANTRCVMORE) ||
> +				    cmc.mc_len + sb->sb_ccc + sb->sb_ctl >
> +				    sb->sb_hiwat)) {
>  					/*
> -					 * Too bad, while unp_externalize() was
> -					 * failing, the other side had filled
> -					 * the buffer and we can't prepend data
> -					 * back. Losing data!
> +					 * While the lock was dropped and we
> +					 * were failing in unp_externalize(),
> +					 * the peer could has a) disconnected,
> +					 * b) filled the buffer so that we
> +					 * can't prepend data back.
> +					 * These are two edge conditions that
> +					 * we just can't handle, so lose the
> +					 * data and return the error.
>  					 */
>  					SOCK_RECVBUF_UNLOCK(so);
>  					SOCK_IO_RECV_UNLOCK(so);