From owner-cvs-all@FreeBSD.ORG  Sat Sep 13 15:34:53 2003
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3898016A4BF; Sat, 13 Sep 2003 15:34:53 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id C50F343F93; Sat, 13 Sep 2003 15:34:52 -0700 (PDT)
	(envelope-from wpaul@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h8DMYq0U072524;
	Sat, 13 Sep 2003 15:34:52 -0700 (PDT)
	(envelope-from wpaul@repoman.freebsd.org)
Received: (from wpaul@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h8DMYqPi072523;
	Sat, 13 Sep 2003 15:34:52 -0700 (PDT)
Message-Id: <200309132234.h8DMYqPi072523@repoman.freebsd.org>
From: Bill Paul <wpaul@FreeBSD.org>
Date: Sat, 13 Sep 2003 15:34:52 -0700 (PDT)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/netinet6 in6_ifattach.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Sep 2003 22:34:53 -0000

wpaul       2003/09/13 15:34:52 PDT

  FreeBSD src repository

  Modified files:
    sys/netinet6         in6_ifattach.c 
  Log:
  The in6_ifattach() routine contains the following code:
  
          in6_pcbpurgeif0(LIST_FIRST(udbinfo.listhead), ifp);
          in6_pcbpurgeif0(LIST_FIRST(ripcbinfo.listhead), ifp);
  
  The problem here is that udbinfo.listhead and ripcbinfo.listhead are
  not initialized during the device probe/attach phase of the kernel
  boot process. So if, for example, a network driver calls ether_ifattach()
  in its foo_attach() routine and then decides that something is wrong
  and calls ether_ifdetach() to reverse the process, we will panic trying
  to dereference the uninitialized list head pointers. (Though the
  same sequence of events performed after the kernel has come up works
  file, i.e. doing kldload if_foo from multiuser.)
  
  Change this to:
  
          if (udbinfo.listhead != NULL)
                  in6_pcbpurgeif0(LIST_FIRST(udbinfo.listhead), ifp);
          if (ripcbinfo.listhead != NULL)
                  in6_pcbpurgeif0(LIST_FIRST(ripcbinfo.listhead), ifp);
  
  to avoid the NULL pointer dereferences.
  
  Revision  Changes    Path
  1.12      +4 -2      src/sys/netinet6/in6_ifattach.c