svn commit: r323552 - head/sys/kern

[Gleb Smirnoff]

Author: glebius
Date: Wed Sep 13 16:47:23 2017
New Revision: 323552
URL: https://svnweb.freebsd.org/changeset/base/323552

Log:
  Fix two issues with not ready data in sockets (read: sendfile)
  in UNIX sockets.
  
  o Check that socket is still connected in uipc_ready(). If not
    we are responsible to free mbufs.
  o In uipc_send() if socket appears to be disconnected, but we
    are sending data with pending I/Os, don't free mbufs.
  
  Reported by:	Kevin Bowling <kbowling llnw.com>
  Tested by:	Kevin Bowling <kbowling llnw.com>
  PR:		222259
  Reported by:	Mark Martinec <Mark.Martinec ijs.si>
  MFC after:	3 days

Modified:
  head/sys/kern/uipc_usrreq.c

Modified: head/sys/kern/uipc_usrreq.c
==============================================================================
--- head/sys/kern/uipc_usrreq.c	Wed Sep 13 16:43:31 2017	(r323551)
+++ head/sys/kern/uipc_usrreq.c	Wed Sep 13 16:47:23 2017	(r323552)
@@ -1056,7 +1056,11 @@ uipc_send(struct socket *so, int flags, struct mbuf *m
 release:
 	if (control != NULL)
 		m_freem(control);
-	if (m != NULL)
+	/*
+	 * In case of PRUS_NOTREADY, uipc_ready() is responsible
+	 * for freeing memory.
+	 */   
+	if (m != NULL && (flags & PRUS_NOTREADY) == 0)
 		m_freem(m);
 	return (error);
 }
@@ -1071,7 +1075,12 @@ uipc_ready(struct socket *so, struct mbuf *m, int coun
 	unp = sotounpcb(so);
 
 	UNP_LINK_RLOCK();
-	unp2 = unp->unp_conn;
+	if ((unp2 = unp->unp_conn) == NULL) {
+		UNP_LINK_RUNLOCK();
+		for (int i = 0; i < count; i++)
+			m = m_free(m);
+		return (ECONNRESET);
+	}
 	UNP_PCB_LOCK(unp2);
 	so2 = unp2->unp_socket;