git: 4250aa1188b5 - main - sctp: Clear assoc socket references when freeing a PCB
Mark Johnston
markj at FreeBSD.org
Thu Sep 9 12:47:07 UTC 2021
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=4250aa1188b5622a6cef871003abd4a50067bdae
commit 4250aa1188b5622a6cef871003abd4a50067bdae
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-09-09 12:33:26 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-09-09 12:33:26 +0000
sctp: Clear assoc socket references when freeing a PCB
This restores behaviour present in the first import of SCTP. Commit
ceaad40ae729dea2c5d8ffcfdd45bb96fb8969d2 commented this out and commit
62fb761ff28bb184a2543e539dd689fefd5d3246 removed it. However, once
sctp_inpcb_free() returns, the socket reference is gone no matter what,
so we need to clear it.
Reported by: syzbot+30dd69297fcbc5f0e10a at syzkaller.appspotmail.com
Reported by: syzbot+7b2f9d4bcac1c9569291 at syzkaller.appspotmail.com
Reported by: syzbot+ed3e651f7d040af480a6 at syzkaller.appspotmail.com
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31886
---
sys/netinet/sctp_pcb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 82b7157c7ad7..e571f80e472a 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -3358,6 +3358,7 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
LIST_FOREACH_SAFE(asoc, &inp->sctp_asoc_list, sctp_tcblist, nasoc) {
SCTP_TCB_LOCK(asoc);
if (asoc->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
+ asoc->sctp_socket = NULL;
/* Skip guys being freed */
cnt_in_sd++;
if (asoc->asoc.state & SCTP_STATE_IN_ACCEPT_QUEUE) {
More information about the dev-commits-src-all
mailing list