sctp: Fix a lock order reversal in sctp_swap_inpcb_for_listen()

When port reuse is enabled in a one-to-one-style socket, sctp_listen() may call sctp_swap_inpcb_for_listen() to move the PCB out of the "TCP pool". In so doing it will drop the PCB lock, yielding an LOR since we now hold several socket locks. Reorder sctp_listen() so that it performs this operation before beginning the conversion to a listening socket. Also modify sctp_swap_inpcb_for_listen() to return with PCB write-locked, since that's what sctp_listen() expects now. Reviewed by: tuexen Fixes: bd4a39cc93 ("socket: Properly interlock when transitioning to a listening socket") MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31879
2021-09-07 23:20:21 -04:00 · 2021-09-07 23:20:21 -04:00 · ee4731179c
commit ee4731179c
parent 6e3af6321b
2 changed files with 8 additions and 12 deletions
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@ -1846,6 +1846,7 @@ sctp_swap_inpcb_for_listen(struct sctp_inpcb *inp)
 	struct sctp_inpcb *tinp, *ninp;

 	SCTP_INP_INFO_WLOCK_ASSERT();
+	SCTP_INP_WLOCK_ASSERT(inp);

 	if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_PORTREUSE)) {
 		/* only works with port reuse on */
@ -1854,7 +1855,7 @@ sctp_swap_inpcb_for_listen(struct sctp_inpcb *inp)
 	if ((inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL) == 0) {
 		return (0);
 	}
-	SCTP_INP_RUNLOCK(inp);
+	SCTP_INP_WUNLOCK(inp);
 	head = &SCTP_BASE_INFO(sctp_ephash)[SCTP_PCBHASH_ALLADDR(inp->sctp_lport,
 	    SCTP_BASE_INFO(hashmark))];
 	/* Kick out all non-listeners to the TCP hash */
@ -1884,8 +1885,6 @@ sctp_swap_inpcb_for_listen(struct sctp_inpcb *inp)
 	inp->sctp_flags &= ~SCTP_PCB_FLAGS_IN_TCPPOOL;
 	head = &SCTP_BASE_INFO(sctp_ephash)[SCTP_PCBHASH_ALLADDR(inp->sctp_lport, SCTP_BASE_INFO(hashmark))];
 	LIST_INSERT_HEAD(head, inp, sctp_hash);
-	SCTP_INP_WUNLOCK(inp);
-	SCTP_INP_RLOCK(inp);
 	return (0);
 }

--- a/sys/netinet/sctp_usrreq.c
+++ b/sys/netinet/sctp_usrreq.c
@ -7208,12 +7208,6 @@ sctp_listen(struct socket *so, int backlog, struct thread *p)
 		sctp_log_lock(inp, (struct sctp_tcb *)NULL, SCTP_LOG_LOCK_SOCK);
 	}
 #endif
-	SOCK_LOCK(so);
-	error = solisten_proto_check(so);
-	if (error) {
-		SOCK_UNLOCK(so);
-		goto out;
-	}
 	if ((sctp_is_feature_on(inp, SCTP_PCB_FLAGS_PORTREUSE)) &&
 	    (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
 		/*
@ -7223,14 +7217,17 @@ sctp_listen(struct socket *so, int backlog, struct thread *p)
 		 * move the guy that was listener to the TCP Pool.
 		 */
 		if (sctp_swap_inpcb_for_listen(inp)) {
-			SOCK_UNLOCK(so);
-			solisten_proto_abort(so);
 			error = EADDRINUSE;
 			SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, error);
 			goto out;
 		}
 	}
-
+	SOCK_LOCK(so);
+	error = solisten_proto_check(so);
+	if (error) {
+		SOCK_UNLOCK(so);
+		goto out;
+	}
 	if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
 	    (inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED)) {
 		SOCK_UNLOCK(so);