More carefully handle various cases in sysctl_drop(), such as unlocking

the inpcb when there's an inpcb without associated timewait state, and not unlocking when the inpcb has been freed. This avoids a kernel panic when tcpdrop(8) is run on a socket in the TIMEWAIT state. MFC after: 3 days Reported by: Rako <rako29 at gmail dot com>
author: rwatson <rwatson@FreeBSD.org> 2007-11-24 18:43:59 +0000
committer: rwatson <rwatson@FreeBSD.org> 2007-11-24 18:43:59 +0000
commit: a32c33d2c7cc46114e370570f3d7be98a5ea2f03 (patch)
tree: cd37a51fcec4d18160aa1ab3681a42e5c6392145 /sys/netinet/tcp_subr.c
parent: 3a9e4de211c8fa6102f9910b9d0c803c44ba5370 (diff)
download: FreeBSD-src-a32c33d2c7cc46114e370570f3d7be98a5ea2f03.zip
FreeBSD-src-a32c33d2c7cc46114e370570f3d7be98a5ea2f03.tar.gz
1 files changed, 7 insertions, 3 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 688a5d2..dc4846d 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -2049,12 +2049,16 @@ sysctl_drop(SYSCTL_HANDLER_ARGS)
 			tw = intotw(inp);
 			if (tw != NULL)
 				tcp_twclose(tw, 0);
+			else
+				INP_UNLOCK(inp);
 		} else if (!(inp->inp_vflag & INP_DROPPED) &&
 			   !(inp->inp_socket->so_options & SO_ACCEPTCONN)) {
 			tp = intotcpcb(inp);
-			tcp_drop(tp, ECONNABORTED);
-		}
-		INP_UNLOCK(inp);
+			tp = tcp_drop(tp, ECONNABORTED);
+			if (tp != NULL)
+				INP_UNLOCK(inp);
+		} else
+			INP_UNLOCK(inp);
 	} else
 		error = ESRCH;
 	INP_INFO_WUNLOCK(&tcbinfo);
author	rwatson <rwatson@FreeBSD.org>	2007-11-24 18:43:59 +0000
committer	rwatson <rwatson@FreeBSD.org>	2007-11-24 18:43:59 +0000
commit	a32c33d2c7cc46114e370570f3d7be98a5ea2f03 (patch)
tree	cd37a51fcec4d18160aa1ab3681a42e5c6392145 /sys/netinet/tcp_subr.c
parent	3a9e4de211c8fa6102f9910b9d0c803c44ba5370 (diff)
download	FreeBSD-src-a32c33d2c7cc46114e370570f3d7be98a5ea2f03.zip FreeBSD-src-a32c33d2c7cc46114e370570f3d7be98a5ea2f03.tar.gz