From b6ca75d739881f7cd31b814a14efe2bc6956e790 Mon Sep 17 00:00:00 2001 From: rrs Date: Tue, 26 Mar 2019 10:41:27 +0000 Subject: [PATCH] Fix a small bug in the tcp_log_id where the bucket was unlocked and yet the bucket-unlock flag was not changed to false. This can cause a panic if INVARIANTS is on and we go through the right path (though rare). Reported by: syzbot+179a1ad49f3c4c215fa2@syzkaller.appspotmail.com Reviewed by: tuexen@ MFC after: 1 week --- sys/netinet/tcp_output.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index d67e1b9bee3..aecd08e626e 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -138,7 +138,8 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, sendbuf_auto_lowat, CTLFLAG_VNET | CTLFLAG_R * non-ACK. */ #define TCP_XMIT_TIMER_ASSERT(tp, len, th_flags) \ - KASSERT(((len) == 0 && ((th_flags) & (TH_SYN | TH_FIN)) == 0) ||\ + KASSERT(((len) == 0 && ((th_flags) & \ + (TH_SYN | TH_FIN | TH_RST)) != 0) || \ tcp_timer_active((tp), TT_REXMT) || \ tcp_timer_active((tp), TT_PERSIST), \ ("neither rexmt nor persist timer is set")) -- 2.45.0