sctp: Fix lock recursion in sctp_swap_inpcb_for_listen()

After commit bd4a39cc93 we now hold the global inp info lock across the call to sctp_swap_inpcb_for_listen(), which attempts to acquire it again. Since sctp_swap_inpcb_for_listen()'s sole caller is sctp_listen(), we can simply change it to not try to acquire the lock. Reported by: syzbot+a76b19ea2f8e1190c451@syzkaller.appspotmail.com Reported by: syzbot+a1b6cef257ad145b7187@syzkaller.appspotmail.com Reviewed by: tuexen Fixes: bd4a39cc93 ("socket: Properly interlock when transitioning to a listening socket") MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31878
2021-09-07 23:02:15 -04:00 · 2021-09-07 23:02:15 -04:00 · 6e3af6321b
commit 6e3af6321b
parent 415e81d5d9
1 changed files with 2 additions and 2 deletions
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@ -1845,6 +1845,8 @@ sctp_swap_inpcb_for_listen(struct sctp_inpcb *inp)
 	struct sctppcbhead *head;
 	struct sctp_inpcb *tinp, *ninp;

+	SCTP_INP_INFO_WLOCK_ASSERT();
+
 	if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_PORTREUSE)) {
 		/* only works with port reuse on */
 		return (-1);
@ -1853,7 +1855,6 @@ sctp_swap_inpcb_for_listen(struct sctp_inpcb *inp)
 		return (0);
 	}
 	SCTP_INP_RUNLOCK(inp);
-	SCTP_INP_INFO_WLOCK();
 	head = &SCTP_BASE_INFO(sctp_ephash)[SCTP_PCBHASH_ALLADDR(inp->sctp_lport,
 	    SCTP_BASE_INFO(hashmark))];
 	/* Kick out all non-listeners to the TCP hash */
@ -1885,7 +1886,6 @@ sctp_swap_inpcb_for_listen(struct sctp_inpcb *inp)
 	LIST_INSERT_HEAD(head, inp, sctp_hash);
 	SCTP_INP_WUNLOCK(inp);
 	SCTP_INP_RLOCK(inp);
-	SCTP_INP_INFO_WUNLOCK();
 	return (0);
 }