From owner-svn-src-all@FreeBSD.ORG Sat Mar 12 09:41:26 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5376F1065679; Sat, 12 Mar 2011 09:41:26 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 27CEA8FC13; Sat, 12 Mar 2011 09:41:26 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p2C9fQS5011447; Sat, 12 Mar 2011 09:41:26 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id p2C9fQdd011445; Sat, 12 Mar 2011 09:41:26 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <201103120941.p2C9fQdd011445@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Sat, 12 Mar 2011 09:41:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r219562 - head/sys/netinet6 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Mar 2011 09:41:26 -0000 Author: bz Date: Sat Mar 12 09:41:25 2011 New Revision: 219562 URL: http://svn.freebsd.org/changeset/base/219562 Log: Make sure the locally cached value of rt->rt_gateway stays stable, even after dropping the reference and unlocking. Previously we have dereferenced a NULL pointer (after r121765). Simply unlocking after the block does not work either because of lock ordering (see r121765) and in addition we would still hold a pointer to something that might be gone by the time we access it. Thus take a copy of the value rather than just caching the pointer. PR: kern/151908 Submitted by: chenyl (netstar2008 126.com) (initial version) MFC after: 2 weeks Modified: head/sys/netinet6/nd6_nbr.c Modified: head/sys/netinet6/nd6_nbr.c ============================================================================== --- head/sys/netinet6/nd6_nbr.c Sat Mar 12 09:09:25 2011 (r219561) +++ head/sys/netinet6/nd6_nbr.c Sat Mar 12 09:41:25 2011 (r219562) @@ -113,7 +113,7 @@ nd6_ns_input(struct mbuf *m, int off, in int anycast = 0, proxy = 0, tentative = 0; int tlladdr; union nd_opts ndopts; - struct sockaddr_dl *proxydl = NULL; + struct sockaddr_dl proxydl; char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN]; #ifndef PULLDOWN_TEST @@ -248,18 +248,25 @@ nd6_ns_input(struct mbuf *m, int off, in #endif need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 && rt->rt_gateway->sa_family == AF_LINK); - if (rt) + if (rt != NULL) { + /* + * Make a copy while we can be sure that rt_gateway + * is still stable before unlocking to avoid lock + * order problems. proxydl will only be used if + * proxy will be set in the next block. + */ + if (need_proxy) + proxydl = *SDL(rt->rt_gateway); RTFREE_LOCKED(rt); + } if (need_proxy) { /* * proxy NDP for single entry */ ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(ifp, IN6_IFF_NOTREADY|IN6_IFF_ANYCAST); - if (ifa) { + if (ifa) proxy = 1; - proxydl = SDL(rt->rt_gateway); - } } } if (ifa == NULL) { @@ -333,7 +340,7 @@ nd6_ns_input(struct mbuf *m, int off, in nd6_na_output(ifp, &in6_all, &taddr6, ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0), - tlladdr, (struct sockaddr *)proxydl); + tlladdr, (struct sockaddr *)&proxydl); goto freeit; } @@ -343,7 +350,7 @@ nd6_ns_input(struct mbuf *m, int off, in nd6_na_output(ifp, &saddr6, &taddr6, ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | (V_ip6_forwarding ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED, - tlladdr, (struct sockaddr *)proxydl); + tlladdr, (struct sockaddr *)&proxydl); freeit: if (ifa != NULL) ifa_free(ifa);