git: b1fe92b28ba2 - main - sctp: remove a test, which isn't safe

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Michael Tuexen <tuexen_at_FreeBSD.org>
Date: Sat, 02 Apr 2022 12:45:03 UTC
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=b1fe92b28ba2e77395598db1c2ff1976b55c86ab

commit b1fe92b28ba2e77395598db1c2ff1976b55c86ab
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2022-04-02 12:44:06 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2022-04-02 12:44:06 +0000

    sctp: remove a test, which isn't safe
    
    We can't ensure the stcb is still around. This issue was found
    by syzkaller.
    
    MFC after:      3 days
---
 sys/netinet/cc/cc.c       | 29 +++++++++++++++++++----------
 sys/netinet/sctp_output.c |  5 -----
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/sys/netinet/cc/cc.c b/sys/netinet/cc/cc.c
index 55a5f6ef652e..a009998ca920 100644
--- a/sys/netinet/cc/cc.c
+++ b/sys/netinet/cc/cc.c
@@ -280,15 +280,12 @@ cc_init(void)
 /*
  * Returns non-zero on success, 0 on failure.
  */
-int
-cc_deregister_algo(struct cc_algo *remove_cc)
+static int
+cc_deregister_algo_locked(struct cc_algo *remove_cc)
 {
 	struct cc_algo *funcs;
 	int found = 0;
 
-	/* Remove algo from cc_list so that new connections can't use it. */
-	CC_LIST_WLOCK();
-	
 	/* This is unlikely to fail */
 	STAILQ_FOREACH(funcs, &cc_list, entries) {
 		if (funcs == remove_cc)
@@ -296,25 +293,36 @@ cc_deregister_algo(struct cc_algo *remove_cc)
 	}
 	if (found == 0) {
 		/* Nothing to remove? */
-		CC_LIST_WUNLOCK();
 		return (ENOENT);
 	}
 	/* We assert it should have been MOD_QUIESCE'd */
 	KASSERT((remove_cc->flags & CC_MODULE_BEING_REMOVED),
 		("remove_cc:%p does not have CC_MODULE_BEING_REMOVED flag", remove_cc));
 	if (cc_check_default(remove_cc)) {
-		CC_LIST_WUNLOCK();
 		return(EBUSY);
 	}
 	if (remove_cc->cc_refcount != 0) {
-		CC_LIST_WUNLOCK();
 		return (EBUSY);
 	}
+	/* Remove algo from cc_list so that new connections can't use it. */
 	STAILQ_REMOVE(&cc_list, remove_cc, cc_algo, entries);
-	CC_LIST_WUNLOCK();
 	return (0);
 }
 
+/*
+ * Returns non-zero on success, 0 on failure.
+ */
+int
+cc_deregister_algo(struct cc_algo *remove_cc)
+{
+	int ret;
+
+	CC_LIST_WLOCK();
+	ret = cc_deregister_algo_locked(remove_cc);
+	CC_LIST_WUNLOCK();
+	return (ret);
+}
+
 /*
  * Returns 0 on success, non-zero on failure.
  */
@@ -628,7 +636,8 @@ cc_modevent(module_t mod, int event_type, void *data)
 		 * If -f was used and users are still attached to
 		 * the algorithm things are going to go boom.
 		 */
-		err = cc_deregister_algo(algo);
+		err = cc_deregister_algo_locked(algo);
+		CC_LIST_WUNLOCK();
 		if ((err == 0) && (algo->mod_destroy != NULL)) {
 			algo->mod_destroy();
 		}
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
index 5f205b1c3af4..4ef771b0cc1a 100644
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -13657,11 +13657,6 @@ out_unlocked:
 		if (free_cnt_applied) {
 			atomic_subtract_int(&asoc->refcnt, 1);
 		}
-#ifdef INVARIANTS
-		if (mtx_owned(&stcb->tcb_mtx)) {
-			panic("Leaving with tcb mtx owned?");
-		}
-#endif
 	}
 	if (top != NULL) {
 		sctp_m_freem(top);