tcp: Fix a locking issue

INP_WLOCK_RECHECK_CLEANUP() and INP_WLOCK_RECHECK() might return from the function, so any locks held must be released. Reported by: syzbot+b1a888df08efaa7b4bf1@syzkaller.appspotmail.com Reviewed by: markj Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D32975
2024-10-16 21:34:10 +00:00 · 2021-11-12 22:08:18 +01:00 · 2021-11-12 22:08:18 +01:00 · df07bfda67
parent 6913bf4c3d
commit df07bfda67
1 changed files with 9 additions and 4 deletions
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@ -2073,11 +2073,16 @@ tcp_congestion(struct socket *so, struct sockopt *sopt, struct inpcb *inp, struc
 			free(ptr, M_CC_MEM);
 		goto do_over;
 	}
-	if (ptr)  {
+	INP_WLOCK(inp);
+	if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
+		INP_WUNLOCK(inp);
+		CC_LIST_RUNLOCK();
+		free(ptr, M_CC_MEM);
+		return (ECONNRESET);
+	}
+	tp = intotcpcb(inp);
+	if (ptr != NULL)
 		memset(ptr, 0, mem_sz);
-		INP_WLOCK_RECHECK_CLEANUP(inp, free(ptr, M_CC_MEM));
-	} else
-		INP_WLOCK_RECHECK(inp);
 	CC_LIST_RUNLOCK();
 	cc_mem.ccvc.tcp = tp;
 	/*