From owner-freebsd-bugs@FreeBSD.ORG Thu May 12 13:50:09 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABF0A1065672 for ; Thu, 12 May 2011 13:50:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6F8A58FC0C for ; Thu, 12 May 2011 13:50:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p4CDo9U4083377 for ; Thu, 12 May 2011 13:50:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p4CDo900083376; Thu, 12 May 2011 13:50:09 GMT (envelope-from gnats) Resent-Date: Thu, 12 May 2011 13:50:09 GMT Resent-Message-Id: <201105121350.p4CDo900083376@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Andrew Boyer Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 556A4106564A for ; Thu, 12 May 2011 13:49:33 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 454758FC14 for ; Thu, 12 May 2011 13:49:33 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p4CDnXU4079504 for ; Thu, 12 May 2011 13:49:33 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p4CDnXMU079503; Thu, 12 May 2011 13:49:33 GMT (envelope-from nobody) Message-Id: <201105121349.p4CDnXMU079503@red.freebsd.org> Date: Thu, 12 May 2011 13:49:33 GMT From: Andrew Boyer To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/156978: [lagg][patch] Take lagg rlock before checking flags X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2011 13:50:09 -0000 >Number: 156978 >Category: kern >Synopsis: [lagg][patch] Take lagg rlock before checking flags >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu May 12 13:50:09 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Andrew Boyer >Release: 8.2-RELEASE >Organization: Avere Systems >Environment: N/A >Description: lagg_input() tests flags in the lagg data structures without a lock. If the flags check passes it then takes the rlock. It is safer to take the rlock before testing the flags. When interfaces are changing it is possible to get kernel panics without this change. >How-To-Repeat: Rebooting a system with laggs configured sometimes panics with a NULL pointer dereference. >Fix: Take the rlock before testing the flags. Patch attached with submission follows: Index: sys/net/if_lagg.c =================================================================== --- sys/net/if_lagg.c (revision 221809) +++ sys/net/if_lagg.c (working copy) @@ -1221,14 +1221,15 @@ struct lagg_softc *sc = lp->lp_softc; struct ifnet *scifp = sc->sc_ifp; + LAGG_RLOCK(sc); if ((scifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || (lp->lp_flags & LAGG_PORT_DISABLED) || sc->sc_proto == LAGG_PROTO_NONE) { + LAGG_RUNLOCK(sc); m_freem(m); return (NULL); } - LAGG_RLOCK(sc); ETHER_BPF_MTAP(scifp, m); m = (*sc->sc_input)(sc, lp, m); >Release-Note: >Audit-Trail: >Unformatted: