The branch stable/13 has been updated by tuexen:
URL:
https://cgit.FreeBSD.org/src/commit/?id=eb426ae3239d2fe12502b195f4e91b87545b851a
commit eb426ae3239d2fe12502b195f4e91b87545b851a
Author: Michael Tuexen <tue...@freebsd.org>
AuthorDate: 2021-09-20 13:52:10 +0000
Commit: Michael Tuexen <tue...@freebsd.org>
CommitDate: 2022-02-22 22:52:20 +0000
sctp: use a valid outstream when adding it to the scheduler
Without holding the stcb send lock, the outstreams might get
reallocated if the number of streams are increased.
Reported by: syzbot+4a5431d7caa666f2c...@syzkaller.appspotmail.com
Reported by: syzbot+aa2e3b013a48870e1...@syzkaller.appspotmail.com
Reported by: syzbot+e4368c3bde07cd2fb...@syzkaller.appspotmail.com
Reported by: syzbot+fe2f110e34811ea91...@syzkaller.appspotmail.com
Reported by: syzbot+ed6e8de942351d030...@syzkaller.appspotmail.com
(cherry picked from commit 34b1efcea19dd4324eecd19d2de313d039fd9656)
---
sys/netinet/sctp_output.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
index 99b1b2660573..80d4b8c52773 100644
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -6337,7 +6337,6 @@ sctp_msg_append(struct sctp_tcb *stcb,
error = EINVAL;
goto out_now;
}
- strm = &stcb->asoc.strmout[srcv->sinfo_stream];
/* Now can we send this? */
if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) ||
(SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
@@ -6396,6 +6395,7 @@ sctp_msg_append(struct sctp_tcb *stcb,
if (hold_stcb_lock == 0) {
SCTP_TCB_SEND_LOCK(stcb);
}
+ strm = &stcb->asoc.strmout[srcv->sinfo_stream];
sctp_snd_sb_alloc(stcb, sp->length);
atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
@@ -13137,6 +13137,8 @@ skip_preblock:
goto out;
}
SCTP_TCB_SEND_LOCK(stcb);
+ /* The out streams might be reallocated. */
+ strm = &stcb->asoc.strmout[srcv->sinfo_stream];
if (sp->msg_is_complete) {
strm->last_msg_incomplete = 0;
asoc->stream_locked = 0;
