git: 1b91978f6375 - main - tcp: remove a condition in tcp_usr_detach() that never happens

From: Gleb Smirnoff <glebius_at_FreeBSD.org>
Date: Thu, 07 Jul 2022 04:10:39 UTC
The branch main has been updated by glebius:

URL: https://cgit.FreeBSD.org/src/commit/?id=1b91978f6375023b00c7d2b49a778765ce4ee6b8

commit 1b91978f6375023b00c7d2b49a778765ce4ee6b8
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2022-07-07 04:09:45 +0000
Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2022-07-07 04:09:45 +0000

    tcp: remove a condition in tcp_usr_detach() that never happens
    
    The comment from Robert Watson doubts that this condition ever happens.
    Our analysis confirm that.  Also, we found that if you manage to create
    such a connection with help of some other bug, then after the "second
    case" code is executed, the kernel will panic in other part of the stack.
    
    Reviewed by:            rrs, tuexen
    Differential revision:  https://reviews.freebsd.org/D35714
---
 sys/netinet/tcp_usrreq.c | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index cdeb2cbcd98e..158ed5d9658c 100644
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -272,23 +272,15 @@ tcp_usr_detach(struct socket *so)
 		}
 	} else {
 		/*
-		 * If the connection is not in timewait, we consider two
-		 * two conditions: one in which no further processing is
-		 * necessary (dropped || embryonic), and one in which TCP is
-		 * not yet done, but no longer requires the socket, so the
-		 * pcb will persist for the time being.
-		 *
-		 * XXXRW: Does the second case still occur?
+		 * If the connection is not in timewait, it must be either
+		 * dropped or embryonic.
 		 */
-		if (inp->inp_flags & INP_DROPPED ||
-		    tp->t_state < TCPS_SYN_SENT) {
-			tcp_discardcb(tp);
-			in_pcbdetach(inp);
-			in_pcbfree(inp);
-		} else {
-			in_pcbdetach(inp);
-			INP_WUNLOCK(inp);
-		}
+		KASSERT(inp->inp_flags & INP_DROPPED ||
+		    tp->t_state < TCPS_SYN_SENT,
+		    ("%s: inp %p not dropped or embryonic", __func__, inp));
+		tcp_discardcb(tp);
+		in_pcbdetach(inp);
+		in_pcbfree(inp);
 	}
 }