Date: Wed, 13 Jun 2018 04:23:49 +0000 (UTC) From: Matt Macy <mmacy@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r335028 - head/sys/netinet Message-ID: <201806130423.w5D4Nnmp056278@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mmacy Date: Wed Jun 13 04:23:49 2018 New Revision: 335028 URL: https://svnweb.freebsd.org/changeset/base/335028 Log: Handle INP_FREED when looking up an inpcb When hash table lookups are not serialized with in_pcbfree it will be possible for callers to find an inpcb that has been marked free. We need to check for this and return NULL. Modified: head/sys/netinet/in_pcb.c Modified: head/sys/netinet/in_pcb.c ============================================================================== --- head/sys/netinet/in_pcb.c Wed Jun 13 04:00:21 2018 (r335027) +++ head/sys/netinet/in_pcb.c Wed Jun 13 04:23:49 2018 (r335028) @@ -2209,7 +2209,14 @@ found: locked = INP_TRY_RLOCK(inp); else panic("%s: locking bug", __func__); - if (!locked) + if (__predict_false(locked && (inp->inp_flags2 & INP_FREED))) { + if (lookupflags & INPLOOKUP_WLOCKPCB) + INP_WUNLOCK(inp); + else + INP_RUNLOCK(inp); + INP_HASH_RUNLOCK(pcbinfo); + return (NULL); + } else if (!locked) in_pcbref(inp); INP_GROUP_UNLOCK(pcbgroup); if (!locked) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806130423.w5D4Nnmp056278>