Do UNP_CONNECTING and UNP_BINDING flags check in uipc_listen() and

return EINVAL if set. This prevents concurrent solisten() thread to make
this socket listening while socket is unlocked.

Reported-by: syzbot+4acfcd73d15382a3e7cf@syzkaller.appspotmail.com
ok mpi

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 73a319b..b01cad4 100644 (file)
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: uipc_usrreq.c,v 1.200 2023/11/28 09:29:20 jsg Exp $   */
+/*     $OpenBSD: uipc_usrreq.c,v 1.201 2024/03/17 19:47:08 mvs Exp $   */
 /*     $NetBSD: uipc_usrreq.c,v 1.18 1996/02/09 19:00:50 christos Exp $        */
 
 /*
@@ -415,6 +415,8 @@ uipc_listen(struct socket *so)
 {
        struct unpcb *unp = sotounpcb(so);
 
+       if (unp->unp_flags & (UNP_BINDING | UNP_CONNECTING))
+               return (EINVAL);
        if (unp->unp_vnode == NULL)
                return (EINVAL);
        return (0);