The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=1b91978f6375023b00c7d2b49a778765ce4ee6b8
commit 1b91978f6375023b00c7d2b49a778765ce4ee6b8 Author: Gleb Smirnoff <[email protected]> AuthorDate: 2022-07-07 04:09:45 +0000 Commit: Gleb Smirnoff <[email protected]> CommitDate: 2022-07-07 04:09:45 +0000 tcp: remove a condition in tcp_usr_detach() that never happens The comment from Robert Watson doubts that this condition ever happens. Our analysis confirm that. Also, we found that if you manage to create such a connection with help of some other bug, then after the "second case" code is executed, the kernel will panic in other part of the stack. Reviewed by: rrs, tuexen Differential revision: https://reviews.freebsd.org/D35714 --- sys/netinet/tcp_usrreq.c | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index cdeb2cbcd98e..158ed5d9658c 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -272,23 +272,15 @@ tcp_usr_detach(struct socket *so) } } else { /* - * If the connection is not in timewait, we consider two - * two conditions: one in which no further processing is - * necessary (dropped || embryonic), and one in which TCP is - * not yet done, but no longer requires the socket, so the - * pcb will persist for the time being. - * - * XXXRW: Does the second case still occur? + * If the connection is not in timewait, it must be either + * dropped or embryonic. */ - if (inp->inp_flags & INP_DROPPED || - tp->t_state < TCPS_SYN_SENT) { - tcp_discardcb(tp); - in_pcbdetach(inp); - in_pcbfree(inp); - } else { - in_pcbdetach(inp); - INP_WUNLOCK(inp); - } + KASSERT(inp->inp_flags & INP_DROPPED || + tp->t_state < TCPS_SYN_SENT, + ("%s: inp %p not dropped or embryonic", __func__, inp)); + tcp_discardcb(tp); + in_pcbdetach(inp); + in_pcbfree(inp); } }
