From d1ea0a7c7de994c94e080237116e3e91989b4d68 Mon Sep 17 00:00:00 2001
From: mvs <mvs@openbsd.org>
Date: Sun, 17 Mar 2024 19:47:08 +0000
Subject: [PATCH] Do UNP_CONNECTING and UNP_BINDING flags check in
 uipc_listen() and return EINVAL if set. This prevents concurrent solisten()
 thread to make this socket listening while socket is unlocked.

Reported-by: syzbot+4acfcd73d15382a3e7cf@syzkaller.appspotmail.com

ok mpi
---
 sys/kern/uipc_usrreq.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 73a319bc387..b01cad482d6 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_usrreq.c,v 1.200 2023/11/28 09:29:20 jsg Exp $	*/
+/*	$OpenBSD: uipc_usrreq.c,v 1.201 2024/03/17 19:47:08 mvs Exp $	*/
 /*	$NetBSD: uipc_usrreq.c,v 1.18 1996/02/09 19:00:50 christos Exp $	*/
 
 /*
@@ -415,6 +415,8 @@ uipc_listen(struct socket *so)
 {
 	struct unpcb *unp = sotounpcb(so);
 
+	if (unp->unp_flags & (UNP_BINDING | UNP_CONNECTING))
+		return (EINVAL);
 	if (unp->unp_vnode == NULL)
 		return (EINVAL);
 	return (0);
-- 
2.20.1