From d1dd449e9dd6e2b9cdfa50c385fdf9d7c133c233 Mon Sep 17 00:00:00 2001
From: mvs <mvs@openbsd.org>
Date: Wed, 26 Jun 2024 12:23:36 +0000
Subject: [PATCH] Push socket re-lock to the vnode(9) release path within
 unp_detach(). The only reason to re-lock dying `so' is the lock order with
 vnode(9) lock, thus `unp_gc_lock' rwlock(9) could be taken after solock().

ok bluhm
---
 sys/kern/uipc_usrreq.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 89a5e971ff3..bbedc6588de 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_usrreq.c,v 1.206 2024/05/03 17:43:09 mvs Exp $	*/
+/*	$OpenBSD: uipc_usrreq.c,v 1.207 2024/06/26 12:23:36 mvs Exp $	*/
 /*	$NetBSD: uipc_usrreq.c,v 1.18 1996/02/09 19:00:50 christos Exp $	*/
 
 /*
@@ -761,26 +761,22 @@ unp_detach(struct unpcb *unp)
 
 	unp->unp_vnode = NULL;
 
-	/*
-	 * Enforce `i_lock' -> `solock()' lock order.
-	 */
-	sounlock(so);
-
 	rw_enter_write(&unp_gc_lock);
 	LIST_REMOVE(unp, unp_link);
 	rw_exit_write(&unp_gc_lock);
 
 	if (vp != NULL) {
+		/* Enforce `i_lock' -> solock() lock order. */
+		sounlock(so);
 		VOP_LOCK(vp, LK_EXCLUSIVE);
 		vp->v_socket = NULL;
 
 		KERNEL_LOCK();
 		vput(vp);
 		KERNEL_UNLOCK();
+		solock(so);
 	}
 
-	solock(so);
-
 	if (unp->unp_conn != NULL) {
 		/*
 		 * Datagram socket could be connected to itself.
-- 
2.20.1