git: 820bafd0bc14 - main - unix/dgram: don't panic if socket buffer has negative space

From: Gleb Smirnoff <glebius_at_FreeBSD.org>
Date: Fri, 19 Aug 2022 19:15:53 UTC
The branch main has been updated by glebius:

URL: https://cgit.FreeBSD.org/src/commit/?id=820bafd0bc14a1448d7e5314e6c9f026518a66de

commit 820bafd0bc14a1448d7e5314e6c9f026518a66de
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2022-08-19 19:13:34 +0000
Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2022-08-19 19:15:38 +0000

    unix/dgram: don't panic if socket buffer has negative space
    
    That's a legitimate scenario, although unlikely.
    
    Reported by:    https://syzkaller.appspot.com/bug?extid=6e8be1ec8d77578a3df4
---
 sys/kern/uipc_usrreq.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 1f2d8a6647b9..2b78c3e51907 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1096,8 +1096,13 @@ uipc_dgram_sbspace(struct sockbuf *sb, u_int cc, u_int mbcnt)
 {
 	u_int bleft, mleft;
 
-	MPASS(sb->sb_hiwat >= sb->uxdg_cc);
-	MPASS(sb->sb_mbmax >= sb->uxdg_mbcnt);
+	/*
+	 * Negative space may happen if send(2) is followed by
+	 * setsockopt(SO_SNDBUF/SO_RCVBUF) that shrinks maximum.
+	 */
+	if (__predict_false(sb->sb_hiwat < sb->uxdg_cc ||
+	    sb->sb_mbmax < sb->uxdg_mbcnt))
+		return (false);
 
 	if (__predict_false(sb->sb_state & SBS_CANTRCVMORE))
 		return (false);