o Fix INP lock leak in the minttl case

o Remove indirection in the decision of unlocking inp o Further annotation of locking in tcp_input()
2007-04-23 19:41:47 +00:00 · 2007-04-23 19:41:47 +00:00 · 9fa198bead
commit 9fa198bead
parent b77d604841
2 changed files with 12 additions and 10 deletions
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@ -751,9 +751,9 @@ tcp_input(struct mbuf *m, int off0)
 	if (inp->inp_vflag & INP_TIMEWAIT) {
 		if (thflags & TH_SYN)
 			tcp_dooptions(&to, optp, optlen, TO_SYN);
+		/* NB: tcp_timewait unlocks the INP and frees the mbuf. */
 		if (tcp_timewait(inp, &to, th, m, tlen))
 			goto findpcb;
-		/* tcp_timewait unlocks inp. */
 		INP_INFO_WUNLOCK(&tcbinfo);
 		return;
 	}
@ -764,7 +764,6 @@ tcp_input(struct mbuf *m, int off0)
 	 */
 	tp = intotcpcb(inp);
 	if (tp == NULL) {
-		INP_UNLOCK(inp);
 		rstreason = BANDLIM_RST_CLOSEDPORT;
 		goto dropwithreset;
 	}
@ -833,6 +832,10 @@ tcp_input(struct mbuf *m, int off0)
 				 * timestamp.
 				 */
 				tcp_dooptions(&to, optp, optlen, 0);
+				/*
+				 * NB: syncache_expand() doesn't unlock
+				 * inp and tcpinfo locks.
+				 */
 				if (!syncache_expand(&inc, &to, th, &so, m)) {
 					/*
 					 * No syncache entry or ACK was not
@ -925,8 +928,6 @@ tcp_input(struct mbuf *m, int off0)

 			if ((ia6 = ip6_getdstifaddr(m)) &&
 			    (ia6->ia6_flags & IN6_IFF_DEPRECATED)) {
-				INP_UNLOCK(inp);
-				tp = NULL;
 				rstreason = BANDLIM_RST_OPENPORT;
 				goto dropwithreset;
 			}
@ -998,7 +999,7 @@ tcp_input(struct mbuf *m, int off0)
 	m = NULL;	/* mbuf chain got consumed. */
 dropunlock:
 	INP_INFO_WLOCK_ASSERT(&tcbinfo);
-	if (tp != NULL)
+	if (inp != NULL)
 		INP_UNLOCK(inp);
 	INP_INFO_WUNLOCK(&tcbinfo);
 drop:
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@ -751,9 +751,9 @@ tcp_input(struct mbuf *m, int off0)
 	if (inp->inp_vflag & INP_TIMEWAIT) {
 		if (thflags & TH_SYN)
 			tcp_dooptions(&to, optp, optlen, TO_SYN);
+		/* NB: tcp_timewait unlocks the INP and frees the mbuf. */
 		if (tcp_timewait(inp, &to, th, m, tlen))
 			goto findpcb;
-		/* tcp_timewait unlocks inp. */
 		INP_INFO_WUNLOCK(&tcbinfo);
 		return;
 	}
@ -764,7 +764,6 @@ tcp_input(struct mbuf *m, int off0)
 	 */
 	tp = intotcpcb(inp);
 	if (tp == NULL) {
-		INP_UNLOCK(inp);
 		rstreason = BANDLIM_RST_CLOSEDPORT;
 		goto dropwithreset;
 	}
@ -833,6 +832,10 @@ tcp_input(struct mbuf *m, int off0)
 				 * timestamp.
 				 */
 				tcp_dooptions(&to, optp, optlen, 0);
+				/*
+				 * NB: syncache_expand() doesn't unlock
+				 * inp and tcpinfo locks.
+				 */
 				if (!syncache_expand(&inc, &to, th, &so, m)) {
 					/*
 					 * No syncache entry or ACK was not
@ -925,8 +928,6 @@ tcp_input(struct mbuf *m, int off0)

 			if ((ia6 = ip6_getdstifaddr(m)) &&
 			    (ia6->ia6_flags & IN6_IFF_DEPRECATED)) {
-				INP_UNLOCK(inp);
-				tp = NULL;
 				rstreason = BANDLIM_RST_OPENPORT;
 				goto dropwithreset;
 			}
@ -998,7 +999,7 @@ tcp_input(struct mbuf *m, int off0)
 	m = NULL;	/* mbuf chain got consumed. */
 dropunlock:
 	INP_INFO_WLOCK_ASSERT(&tcbinfo);
-	if (tp != NULL)
+	if (inp != NULL)
 		INP_UNLOCK(inp);
 	INP_INFO_WUNLOCK(&tcbinfo);
 drop: