From owner-svn-src-head@FreeBSD.ORG  Tue Apr  9 20:52:27 2013
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 21C1BF30;
 Tue,  9 Apr 2013 20:52:27 +0000 (UTC)
 (envelope-from andre@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id 11B6CD8A;
 Tue,  9 Apr 2013 20:52:27 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r39KqQVS043988;
 Tue, 9 Apr 2013 20:52:26 GMT (envelope-from andre@svn.freebsd.org)
Received: (from andre@localhost)
 by svn.freebsd.org (8.14.6/8.14.5/Submit) id r39KqQNA043987;
 Tue, 9 Apr 2013 20:52:26 GMT (envelope-from andre@svn.freebsd.org)
Message-Id: <201304092052.r39KqQNA043987@svn.freebsd.org>
From: Andre Oppermann <andre@FreeBSD.org>
Date: Tue, 9 Apr 2013 20:52:26 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r249317 - head/sys/netinet
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 20:52:27 -0000

Author: andre
Date: Tue Apr  9 20:52:26 2013
New Revision: 249317
URL: http://svnweb.freebsd.org/changeset/base/249317

Log:
  Fix a race condition on tcp listen socket teardown with pending
  connections in the accept queue and contiguous new incoming SYNs.
  
  Compared to the original submitters patch I've moved the test
  next to the SYN handling to have it together in a logical unit
  and reworded the comment explaining the issue.
  
  Submitted by:	Matt Miller <matt@matthewjmiller.net>
  Submitted by:	Juan Mojica <jmojica@gmail.com>
  Reviewed by:	Matt Miller (changes)
  Tested by:	pho
  MFC after:	1 week

Modified:
  head/sys/netinet/tcp_input.c

Modified: head/sys/netinet/tcp_input.c
==============================================================================
--- head/sys/netinet/tcp_input.c	Tue Apr  9 20:21:35 2013	(r249316)
+++ head/sys/netinet/tcp_input.c	Tue Apr  9 20:52:26 2013	(r249317)
@@ -1405,6 +1405,15 @@ relocked:
 		 */
 		INP_INFO_UNLOCK_ASSERT(&V_tcbinfo);
 		return;
+	} else if (tp->t_state == TCPS_LISTEN) {
+		/*
+		 * When a listen socket is torn down the SO_ACCEPTCONN
+		 * flag is removed first while connections are drained
+		 * from the accept queue in a unlock/lock cycle of the
+		 * ACCEPT_LOCK, opening a race condition allowing a SYN
+		 * attempt go through unhandled.
+		 */
+		goto dropunlock;
 	}
 
 #ifdef TCP_SIGNATURE