Index: sys/netinet/in_pcb.c =================================================================== RCS file: /mount/openbsd/cvs/src/sys/netinet/in_pcb.c,v diff -u -p -u -p -r1.307 in_pcb.c --- sys/netinet/in_pcb.c 24 Dec 2024 16:27:07 -0000 1.307 +++ sys/netinet/in_pcb.c 2 Jan 2025 17:16:12 -0000 @@ -237,6 +237,7 @@ in_pcballoc(struct socket *so, struct in return (ENOBUFS); inp->inp_table = table; inp->inp_socket = so; + mtx_init(&inp->inp_sofree_mtx, IPL_SOFTNET); refcnt_init_trace(&inp->inp_refcnt, DT_REFCNT_IDX_INPCB); inp->inp_seclevel.sl_auth = IPSEC_AUTH_LEVEL_DEFAULT; inp->inp_seclevel.sl_esp_trans = IPSEC_ESP_TRANS_LEVEL_DEFAULT; @@ -584,6 +585,9 @@ in_pcbdetach(struct inpcb *inp) struct inpcbtable *table = inp->inp_table; so->so_pcb = NULL; + mtx_enter(&inp->inp_sofree_mtx); + inp->inp_socket = NULL; + mtx_leave(&inp->inp_sofree_mtx); /* * As long as the NET_LOCK() is the default lock for Internet * sockets, do not release it to not introduce new sleeping @@ -616,6 +620,32 @@ in_pcbdetach(struct inpcb *inp) mtx_leave(&table->inpt_mtx); in_pcbunref(inp); +} + +struct socket * +in_pcbsolock(struct inpcb *inp) +{ + struct socket *so; + + NET_ASSERT_LOCKED(); + + mtx_enter(&inp->inp_sofree_mtx); + so = soref(inp->inp_socket); + mtx_leave(&inp->inp_sofree_mtx); + if (so == NULL) + return NULL; + + rw_enter_write(&so->so_lock); + sorele(so, 1); + + return so; +} + +void +in_pcbsounlock(struct inpcb *inp, struct socket *so) +{ + KASSERT(inp->inp_socket == so); + rw_exit_write(&so->so_lock); } struct inpcb * Index: sys/netinet/in_pcb.h =================================================================== RCS file: /mount/openbsd/cvs/src/sys/netinet/in_pcb.h,v diff -u -p -u -p -r1.161 in_pcb.h --- sys/netinet/in_pcb.h 24 Dec 2024 16:27:07 -0000 1.161 +++ sys/netinet/in_pcb.h 2 Jan 2025 17:16:12 -0000 @@ -81,6 +81,7 @@ * t inpt_mtx pcb table mutex * L pf_inp_mtx link pf to inp mutex * s so_lock socket rwlock + * f inp_sofree_mtx socket detach and lock */ /* @@ -136,7 +137,8 @@ struct inpcb { #define inp_laddr6 inp_laddru.iau_addr6 u_int16_t inp_fport; /* [t] foreign port */ u_int16_t inp_lport; /* [t] local port */ - struct socket *inp_socket; /* [I] back pointer to socket */ + struct socket *inp_socket; /* [f] back pointer to socket */ + struct mutex inp_sofree_mtx; /* protect socket free */ caddr_t inp_ppcb; /* pointer to per-protocol pcb */ struct route inp_route; /* [s] cached route */ struct refcnt inp_refcnt; /* refcount PCB, delay memory free */ @@ -309,6 +311,9 @@ int in_pcbaddrisavail(const struct inpc struct proc *); int in_pcbconnect(struct inpcb *, struct mbuf *); void in_pcbdetach(struct inpcb *); +struct socket * + in_pcbsolock(struct inpcb *); +void in_pcbsounlock(struct inpcb *, struct socket *); struct inpcb * in_pcbref(struct inpcb *); void in_pcbunref(struct inpcb *); Index: sys/netinet/tcp_input.c =================================================================== RCS file: /mount/openbsd/cvs/src/sys/netinet/tcp_input.c,v diff -u -p -u -p -r1.417 tcp_input.c --- sys/netinet/tcp_input.c 2 Jan 2025 10:55:18 -0000 1.417 +++ sys/netinet/tcp_input.c 2 Jan 2025 17:16:12 -0000 @@ -3371,6 +3371,7 @@ syn_cache_timer(void *arg) { struct syn_cache *sc = arg; struct inpcb *inp; + struct socket *so; uint64_t now; int lastref; @@ -3404,11 +3405,15 @@ syn_cache_timer(void *arg) goto freeit; mtx_leave(&syn_cache_mtx); - NET_LOCK(); - now = tcp_now(); - (void) syn_cache_respond(sc, NULL, now); - tcpstat_inc(tcps_sc_retransmitted); - NET_UNLOCK(); + NET_LOCK_SHARED(); + so = in_pcbsolock(inp); + if (so != NULL) { + now = tcp_now(); + (void) syn_cache_respond(sc, NULL, now); + tcpstat_inc(tcps_sc_retransmitted); + in_pcbsounlock(inp, so); + } + NET_UNLOCK_SHARED(); in_pcbunref(inp); syn_cache_put(sc); Index: sys/sys/socketvar.h =================================================================== RCS file: /mount/openbsd/cvs/src/sys/sys/socketvar.h,v diff -u -p -u -p -r1.136 socketvar.h --- sys/sys/socketvar.h 1 Jan 2025 13:44:22 -0000 1.136 +++ sys/sys/socketvar.h 2 Jan 2025 17:16:12 -0000 @@ -209,10 +209,13 @@ struct socket { void soassertlocked(struct socket *); void soassertlocked_readonly(struct socket *); -static inline void +static inline struct socket * soref(struct socket *so) { + if (so == NULL) + return NULL; refcnt_take(&so->so_refcnt); + return so; } /*