The branch main has been updated by tuexen:
URL:
https://cgit.FreeBSD.org/src/commit/?id=df07bfda67adc889b900126e31babb37e9ecae90
commit df07bfda67adc889b900126e31babb37e9ecae90
Author: Michael Tuexen <tue...@freebsd.org>
AuthorDate: 2021-11-12 21:08:18 +0000
Commit: Michael Tuexen <tue...@freebsd.org>
CommitDate: 2021-11-12 21:13:50 +0000
tcp: Fix a locking issue
INP_WLOCK_RECHECK_CLEANUP() and INP_WLOCK_RECHECK() might return
from the function, so any locks held must be released.
Reported by:
syzbot+b1a888df08efaa7b4...@syzkaller.appspotmail.com
Reviewed by: markj
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D32975
---
sys/netinet/tcp_usrreq.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index 4e03ad8ba095..968e102248d7 100644
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -2073,11 +2073,16 @@ no_mem_needed:
free(ptr, M_CC_MEM);
goto do_over;
}
- if (ptr) {
+ INP_WLOCK(inp);
+ if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
+ INP_WUNLOCK(inp);
+ CC_LIST_RUNLOCK();
+ free(ptr, M_CC_MEM);
+ return (ECONNRESET);
+ }
+ tp = intotcpcb(inp);
+ if (ptr != NULL)
memset(ptr, 0, mem_sz);
- INP_WLOCK_RECHECK_CLEANUP(inp, free(ptr, M_CC_MEM));
- } else
- INP_WLOCK_RECHECK(inp);
CC_LIST_RUNLOCK();
cc_mem.ccvc.tcp = tp;
/*
