Differential D31879

sctp: Fix a LOR in sctp_listen()
ClosedPublic
Actions

Authored by markj on Sep 8 2021, 3:29 AM.

Details

Reviewers

tuexen

Group Reviewers

transport

Commits

rGee4731179cb8: sctp: Fix a lock order reversal in sctp_swap_inpcb_for_listen()

Summary

When port reuse is enabled in a one-to-one-style socket, sctp_listen()
may call sctp_swap_inpcb_for_listen() to move the PCB out of the "TCP
pool". In so doing it will drop the PCB lock, yielding an LOR since we
now hold several socket locks. Reorder sctp_listen() so that it
performs this operation before beginning the conversion to a listening
socket.

I'm not sure why I didn't hit this in my pre-commit testing, as I had
been running syzkaller for quite a while with those changes.

While here, remove a bogus lock upgrade: the PCB lock is just a mutex,
not a reader-writer lock as the macro names imply.

Fixes: bd4a39cc93d9 ("socket: Properly interlock when transitioning to a listening socket")
Reported by: syzkaller

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Sep 8 2021, 3:29 AM

Herald added a reviewer: transport. · View Herald TranscriptSep 8 2021, 3:29 AM

Herald added subscribers: melifaro, imp. · View Herald Transcript

markj requested review of this revision.Sep 8 2021, 3:29 AM

Harbormaster completed remote builds in B41426: Diff 94878.Sep 8 2021, 3:29 AM

While here, remove a bogus lock upgrade: the PCB lock is just a mutex,
not a reader-writer lock as the macro names imply.

Where are you doing this? Even if it is a mutex on FreeBSD, it might not be on all platforms... So if possible, I would like to keep the rw-semantic, if possible.

In D31879#719273, @tuexen wrote:

While here, remove a bogus lock upgrade: the PCB lock is just a mutex,
not a reader-writer lock as the macro names imply.

Where are you doing this? Even if it is a mutex on FreeBSD, it might not be on all platforms... So if possible, I would like to keep the rw-semantic, if possible.

Sorry, the explanation is wrong (should be "downgrade"). sctp_swap_inpcb_for_listen() is now called with the inp write lock held, so we should return with the write lock held. As a result we don't need to do a lock downgrade. The fact that the PCB lock is a mutex on FreeBSD just meant that WITNESS didn't catch this.

In D31879#719282, @markj wrote:

In D31879#719273, @tuexen wrote:

While here, remove a bogus lock upgrade: the PCB lock is just a mutex,
not a reader-writer lock as the macro names imply.

Where are you doing this? Even if it is a mutex on FreeBSD, it might not be on all platforms... So if possible, I would like to keep the rw-semantic, if possible.

Sorry, the explanation is wrong (should be "downgrade"). sctp_swap_inpcb_for_listen() is now called with the inp write lock held, so we should return with the write lock held. As a result we don't need to do a lock downgrade. The fact that the PCB lock is a mutex on FreeBSD just meant that WITNESS didn't catch this.