From owner-freebsd-net@FreeBSD.ORG  Fri Jan  6 05:49:16 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8392510656D0
	for <freebsd-net@freebsd.org>; Fri,  6 Jan 2012 05:49:16 +0000 (UTC)
	(envelope-from nparhar@gmail.com)
Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com
	[209.85.216.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 445878FC12
	for <freebsd-net@freebsd.org>; Fri,  6 Jan 2012 05:49:15 +0000 (UTC)
Received: by qcse13 with SMTP id e13so977755qcs.13
	for <freebsd-net@freebsd.org>; Thu, 05 Jan 2012 21:49:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	bh=rzAyfaEnjC6UCKLj0mKwctvcXCnnr7DlhB0QjLSYw+o=;
	b=A61CXpVvjzHVe2rPA3UhZB3KldorC3sIc4nPaYz1ThQPOBidT2asNWJNn+eynFzGBg
	sRdqVvLQ8DQ1qnN6TLbUxZTRcJ+axRUCgMO/r+d8lLPzpLLPTLVyTJAMJeowaE8GCdIj
	QYXCet9usJu1gl4Elcc+1NtPaoeLLHEBEs2VY=
MIME-Version: 1.0
Received: by 10.224.33.65 with SMTP id g1mr5728357qad.98.1325827548517; Thu,
	05 Jan 2012 21:25:48 -0800 (PST)
Received: by 10.229.70.206 with HTTP; Thu, 5 Jan 2012 21:25:48 -0800 (PST)
Date: Thu, 5 Jan 2012 21:25:48 -0800
Message-ID: <CAPFoGT-S-gvp12dGBZewEEZUFrWaOL=V4Jotu-pgzOEpcHs7Xg@mail.gmail.com>
From: Navdeep Parhar <nparhar@gmail.com>
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: tcp_detach can return with inpcb lock held
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2012 05:49:16 -0000

Looks like there's a case where tcp_detach could return with the inp
lock held.  I see an XXXRW comment questioning this possibility, but
we should either add an assertion to verify that the case does not
occur, or unlock the inpcb before returning.  Or maybe both?

Regards,
Navdeep

diff -r 35bdf8d932e8 sys/netinet/tcp_usrreq.c
--- a/sys/netinet/tcp_usrreq.c  Mon Dec 19 10:08:31 2011 -0800
+++ b/sys/netinet/tcp_usrreq.c  Thu Jan 05 21:20:24 2012 -0800
@@ -204,8 +204,11 @@
                        tcp_discardcb(tp);
                        in_pcbdetach(inp);
                        in_pcbfree(inp);
-               } else
+               } else {
                        in_pcbdetach(inp);
+                       INP_WUNLOCK(inp);
+               }
+
        }
 }