From 947d455fe545687a4cadb4d87c6a2139ca73b6c9 Mon Sep 17 00:00:00 2001
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Wed, 13 Sep 2023 13:02:51 +0200
Subject: [PATCH] sctp: further improve shutting down the read side of a socket

Deal with the case that the association is already gone.

Reported by:	syzbot+e256d42e9b390564530a@syzkaller.appspotmail.com

(cherry picked from commit bb56b36d7188e004840294d0bd5dfdf7f3392a05)
---
 sys/netinet/sctp_usrreq.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c
index 9f1a33b5ff2..3289d86ba83 100644
--- a/sys/netinet/sctp_usrreq.c
+++ b/sys/netinet/sctp_usrreq.c
@@ -818,11 +818,9 @@ sctp_flush(struct socket *so, int how)
 		return (0);
 	}
 	stcb = LIST_FIRST(&inp->sctp_asoc_list);
-	if (stcb == NULL) {
-		SCTP_INP_WUNLOCK(inp);
-		return (ENOTCONN);
+	if (stcb != NULL) {
+		SCTP_TCB_LOCK(stcb);
 	}
-	SCTP_TCB_LOCK(stcb);
 	SCTP_INP_READ_LOCK(inp);
 	inp->sctp_flags |= SCTP_PCB_FLAGS_SOCKET_CANT_READ;
 	SOCK_LOCK(so);
@@ -848,7 +846,7 @@ sctp_flush(struct socket *so, int how)
 	}
 	SOCK_UNLOCK(so);
 	SCTP_INP_READ_UNLOCK(inp);
-	if (need_to_abort) {
+	if (need_to_abort && (stcb != NULL)) {
 		inp->last_abort_code = SCTP_FROM_SCTP_USRREQ + SCTP_LOC_6;
 		SCTP_INP_WUNLOCK(inp);
 		op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
@@ -857,7 +855,9 @@ sctp_flush(struct socket *so, int how)
 		NET_EPOCH_EXIT(et);
 		return (ECONNABORTED);
 	}
-	SCTP_TCB_UNLOCK(stcb);
+	if (stcb != NULL) {
+		SCTP_TCB_UNLOCK(stcb);
+	}
 	SCTP_INP_WUNLOCK(inp);
 	return (0);
 }
-- 
2.45.0