Date: Mon, 22 Oct 2007 19:01:26 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/net route.c src/sys/netinet6 nd6.c Message-ID: <200710221901.l9MJ1QNn086567@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
jhb 2007-10-22 19:01:26 UTC
FreeBSD src repository
Modified files:
sys/net route.c
sys/netinet6 nd6.c
Log:
Close a race when trying to lookup a gateway route in rt_check().
Specifically, if two threads were doing concurrent lookups and the existing
gateway was marked down, the the first thread would drop a reference on the
gateway route and then unlock the "root" route while it tried to allocate
a new route. The second thread could then also drop a reference on the
same gateway route resulting in a reference underflow. Fix this by
clearing the gateway route pointer after dropping the reference count but
before dropping the lock. Secondly, in this same case, the second thread
would overwrite the gateway route pointer w/o free'ing a reference to the
route installed by the first thread. In practice this would probably just
fix a lost reference that would result in a route never being freed.
This fixes panics observed in rt_check() and rtexpunge().
MFC after: 1 week
PR: kern/112490
Insight from: mehuljv at yahoo.com
Reviewed by: ru (found the "not-setting it to NULL" part)
Tested by: several
Revision Changes Path
1.121 +3 -1 src/sys/net/route.c
1.84 +3 -1 src/sys/netinet6/nd6.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200710221901.l9MJ1QNn086567>