Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 May 2019 09:12:13 +0000 (UTC)
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r347668 - stable/11/sys/netinet
Message-ID:  <201905160912.x4G9CDts039732@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: tuexen
Date: Thu May 16 09:12:13 2019
New Revision: 347668
URL: https://svnweb.freebsd.org/changeset/base/347668

Log:
  MFC r344742:
  
  Allocate an assocition id and register the stcb with holding the lock.
  This avoids a race where stcbs can be found, which are not completely
  initialized.
  
  This was found by running syzkaller.

Modified:
  stable/11/sys/netinet/sctp_pcb.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet/sctp_pcb.c
==============================================================================
--- stable/11/sys/netinet/sctp_pcb.c	Thu May 16 09:10:14 2019	(r347667)
+++ stable/11/sys/netinet/sctp_pcb.c	Thu May 16 09:12:13 2019	(r347668)
@@ -4156,11 +4156,9 @@ sctp_aloc_a_assoc_id(struct sctp_inpcb *inp, struct sc
 	struct sctpasochead *head;
 	struct sctp_tcb *lstcb;
 
-	SCTP_INP_WLOCK(inp);
 try_again:
 	if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
 		/* TSNH */
-		SCTP_INP_WUNLOCK(inp);
 		return (0);
 	}
 	/*
@@ -4179,8 +4177,7 @@ try_again:
 	head = &inp->sctp_asocidhash[SCTP_PCBHASH_ASOC(id, inp->hashasocidmark)];
 	LIST_INSERT_HEAD(head, stcb, sctp_tcbasocidhash);
 	stcb->asoc.in_asocid_hash = 1;
-	SCTP_INP_WUNLOCK(inp);
-	return id;
+	return (id);
 }
 
 /*
@@ -4343,7 +4340,6 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd
 	memset(stcb, 0, sizeof(*stcb));
 	asoc = &stcb->asoc;
 
-	asoc->assoc_id = sctp_aloc_a_assoc_id(inp, stcb);
 	SCTP_TCB_LOCK_INIT(stcb);
 	SCTP_TCB_SEND_LOCK_INIT(stcb);
 	stcb->rport = rport;
@@ -4354,7 +4350,6 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd
 		/* failed */
 		SCTP_TCB_LOCK_DESTROY(stcb);
 		SCTP_TCB_SEND_LOCK_DESTROY(stcb);
-		LIST_REMOVE(stcb, sctp_tcbasocidhash);
 		SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asoc), stcb);
 		SCTP_DECR_ASOC_COUNT();
 		*error = err;
@@ -4367,7 +4362,6 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd
 		/* inpcb freed while alloc going on */
 		SCTP_TCB_LOCK_DESTROY(stcb);
 		SCTP_TCB_SEND_LOCK_DESTROY(stcb);
-		LIST_REMOVE(stcb, sctp_tcbasocidhash);
 		SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asoc), stcb);
 		SCTP_INP_WUNLOCK(inp);
 		SCTP_INP_INFO_WUNLOCK();
@@ -4378,6 +4372,7 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd
 	}
 	SCTP_TCB_LOCK(stcb);
 
+	asoc->assoc_id = sctp_aloc_a_assoc_id(inp, stcb);
 	/* now that my_vtag is set, add it to the hash */
 	head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
 	/* put it in the bucket in the vtag hash of assoc's for the system */



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201905160912.x4G9CDts039732>