svn commit: r332817 - stable/11/sys/netinet

Fri Apr 20 13:58:49 UTC 2018

Author: jtl
Date: Fri Apr 20 13:58:48 2018
New Revision: 332817
URL: https://svnweb.freebsd.org/changeset/base/332817

Log:
  MFC r332120:
    If a user closes the socket before we call tcp_usr_abort(), then
    tcp_drop() may unlock the INP.  Currently, tcp_usr_abort() does not
    check for this case, which results in a panic while trying to unlock
    the already-unlocked INP (not to mention, a use-after-free violation).
  
    Make tcp_usr_abort() check the return value of tcp_drop(). In the case
    where tcp_drop() returns NULL, tcp_usr_abort() can skip further steps
    to abort the connection and simply unlock the INP_INFO lock prior to
    returning.
  
  Sponsored by:	Netflix, Inc.

Modified:
  stable/11/sys/netinet/tcp_usrreq.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet/tcp_usrreq.c
==============================================================================

--- stable/11/sys/netinet/tcp_usrreq.c	Fri Apr 20 13:08:04 2018	(r332816)
+++ stable/11/sys/netinet/tcp_usrreq.c	Fri Apr 20 13:58:48 2018	(r332817)
@@ -1080,7 +1080,9 @@ tcp_usr_abort(struct socket *so)
 	    !(inp->inp_flags & INP_DROPPED)) {
 		tp = intotcpcb(inp);
 		TCPDEBUG1();
-		tcp_drop(tp, ECONNABORTED);
+		tp = tcp_drop(tp, ECONNABORTED);
+		if (tp == NULL)
+			goto dropped;
 		TCPDEBUG2(PRU_ABORT);
 		TCP_PROBE2(debug__user, tp, PRU_ABORT);
 	}
@@ -1091,6 +1093,7 @@ tcp_usr_abort(struct socket *so)
 		inp->inp_flags |= INP_SOCKREF;
 	}
 	INP_WUNLOCK(inp);
+dropped:
 	INP_INFO_RUNLOCK(&V_tcbinfo);
 }
 
