so_splice: Synchronize so_unsplice() with so_splice()
ClosedPublic
Actions

Authored by markj on Apr 13 2025, 3:45 PM.

Details

Reviewers

Commits

rGc0c5d01e5374: so_splice: Synchronize so_unsplice() with so_splice()
rG992b18a9ec9f: so_splice: Synchronize so_unsplice() with so_splice()

Summary

so_unsplice() assumed that if SB_SPLICED is set in the receive buffer of
the first socket, then the splice is fully initialized. However, that's
not true, and it's possible for so_unsplice() to race ahead of
so_splice().

Modify so_unsplice() to simply bail if the splice state is embryonic.

Reported by: syzkaller

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Apr 13 2025, 3:45 PM

Herald added subscribers: olce, glebius, imp. · View Herald TranscriptApr 13 2025, 3:45 PM

markj requested review of this revision.Apr 13 2025, 3:45 PM

Harbormaster completed remote builds in B63486: Diff 153612.Apr 13 2025, 3:45 PM

gallatin accepted this revision.Apr 14 2025, 10:29 PM

This revision is now accepted and ready to land.Apr 14 2025, 10:29 PM

Closed by commit rG992b18a9ec9f: so_splice: Synchronize so_unsplice() with so_splice() (authored by markj). · Explain WhyApr 15 2025, 12:58 AM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rG992b18a9ec9f: so_splice: Synchronize so_unsplice() with so_splice().

markj added a commit: rGc0c5d01e5374: so_splice: Synchronize so_unsplice() with so_splice().Apr 29 2025, 12:48 AM

Revision Contents
Changeset List

Path

Size

sys/

kern/

uipc_socket.c

15 lines

Diff 153665

View Options

so_splice: Synchronize so_unsplice() with so_splice()ClosedPublicActions