When writing trailers in sendfile(2), don't call kern_writev()

while holding the socket buffer lock.  These leads to an
immediate panic due to recursing the socket buffer lock.  This
bug was introduced in uipc_syscalls.c:1.240, but masked by
another bug until that was fixed in uipc_syscalls.c:1.269.

Note that the current fix isn't perfect, but better than
panicking: normally we guarantee that simultaneous invocations
of a system call to write on a stream socket won't be
interlaced, which is ensured by use of the socket buffer sleep
lock.  This is guaranteed for the sendfile headers, but not
trailers.  In practice, this is likely not a problem, but
should be fixed.

MFC after:	3 days
Pointy hat to:	andre (1.240), cperciva (1.269)

1 files changed, 4 insertions, 3 deletions

diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index ab5cb5f..0599b22 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -2207,10 +2207,11 @@ retry_space:
 	 * Send trailers. Wimp out and use writev(2).
 	 */
 	if (trl_uio != NULL) {
+		sbunlock(&so->so_snd);
 		error = kern_writev(td, uap->s, trl_uio);
-		if (error)
-			goto done;
-		sbytes += td->td_retval[0];
+		if (error == 0)
+			sbytes += td->td_retval[0];
+		goto out;
 	}
 
 done: