The branch main has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=b1fe92b28ba2e77395598db1c2ff1976b55c86ab
commit b1fe92b28ba2e77395598db1c2ff1976b55c86ab Author: Michael Tuexen <[email protected]> AuthorDate: 2022-04-02 12:44:06 +0000 Commit: Michael Tuexen <[email protected]> CommitDate: 2022-04-02 12:44:06 +0000 sctp: remove a test, which isn't safe We can't ensure the stcb is still around. This issue was found by syzkaller. MFC after: 3 days --- sys/netinet/cc/cc.c | 29 +++++++++++++++++++---------- sys/netinet/sctp_output.c | 5 ----- 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/sys/netinet/cc/cc.c b/sys/netinet/cc/cc.c index 55a5f6ef652e..a009998ca920 100644 --- a/sys/netinet/cc/cc.c +++ b/sys/netinet/cc/cc.c @@ -280,15 +280,12 @@ cc_init(void) /* * Returns non-zero on success, 0 on failure. */ -int -cc_deregister_algo(struct cc_algo *remove_cc) +static int +cc_deregister_algo_locked(struct cc_algo *remove_cc) { struct cc_algo *funcs; int found = 0; - /* Remove algo from cc_list so that new connections can't use it. */ - CC_LIST_WLOCK(); - /* This is unlikely to fail */ STAILQ_FOREACH(funcs, &cc_list, entries) { if (funcs == remove_cc) @@ -296,25 +293,36 @@ cc_deregister_algo(struct cc_algo *remove_cc) } if (found == 0) { /* Nothing to remove? */ - CC_LIST_WUNLOCK(); return (ENOENT); } /* We assert it should have been MOD_QUIESCE'd */ KASSERT((remove_cc->flags & CC_MODULE_BEING_REMOVED), ("remove_cc:%p does not have CC_MODULE_BEING_REMOVED flag", remove_cc)); if (cc_check_default(remove_cc)) { - CC_LIST_WUNLOCK(); return(EBUSY); } if (remove_cc->cc_refcount != 0) { - CC_LIST_WUNLOCK(); return (EBUSY); } + /* Remove algo from cc_list so that new connections can't use it. */ STAILQ_REMOVE(&cc_list, remove_cc, cc_algo, entries); - CC_LIST_WUNLOCK(); return (0); } +/* + * Returns non-zero on success, 0 on failure. + */ +int +cc_deregister_algo(struct cc_algo *remove_cc) +{ + int ret; + + CC_LIST_WLOCK(); + ret = cc_deregister_algo_locked(remove_cc); + CC_LIST_WUNLOCK(); + return (ret); +} + /* * Returns 0 on success, non-zero on failure. */ @@ -628,7 +636,8 @@ cc_modevent(module_t mod, int event_type, void *data) * If -f was used and users are still attached to * the algorithm things are going to go boom. */ - err = cc_deregister_algo(algo); + err = cc_deregister_algo_locked(algo); + CC_LIST_WUNLOCK(); if ((err == 0) && (algo->mod_destroy != NULL)) { algo->mod_destroy(); } diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c index 5f205b1c3af4..4ef771b0cc1a 100644 --- a/sys/netinet/sctp_output.c +++ b/sys/netinet/sctp_output.c @@ -13657,11 +13657,6 @@ out_unlocked: if (free_cnt_applied) { atomic_subtract_int(&asoc->refcnt, 1); } -#ifdef INVARIANTS - if (mtx_owned(&stcb->tcb_mtx)) { - panic("Leaving with tcb mtx owned?"); - } -#endif } if (top != NULL) { sctp_m_freem(top);
