From owner-svn-src-stable-9@FreeBSD.ORG Sat Dec 15 08:29:23 2012 Return-Path: Delivered-To: svn-src-stable-9@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6B86FEE4; Sat, 15 Dec 2012 08:29:23 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 4C4528FC12; Sat, 15 Dec 2012 08:29:23 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qBF8TNmu005633; Sat, 15 Dec 2012 08:29:23 GMT (envelope-from glebius@svn.freebsd.org) Received: (from glebius@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id qBF8TNbs005632; Sat, 15 Dec 2012 08:29:23 GMT (envelope-from glebius@svn.freebsd.org) Message-Id: <201212150829.qBF8TNbs005632@svn.freebsd.org> From: Gleb Smirnoff Date: Sat, 15 Dec 2012 08:29:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r244242 - stable/9/sys/netinet X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Dec 2012 08:29:23 -0000 Author: glebius Date: Sat Dec 15 08:29:22 2012 New Revision: 244242 URL: http://svnweb.freebsd.org/changeset/base/244242 Log: Merge from head r244157: Fix a crash in tcp_input(), that happens when mbuf has a fwd_tag on it, but later after processing and freeing the tag, we need to jump back again to the findpcb label. Since the fwd_tag pointer wasn't NULL we tried to process and free the tag for second time. Reported & tested by: Pawel Tyll Modified: stable/9/sys/netinet/tcp_input.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netinet/tcp_input.c ============================================================================== --- stable/9/sys/netinet/tcp_input.c Sat Dec 15 07:11:16 2012 (r244241) +++ stable/9/sys/netinet/tcp_input.c Sat Dec 15 08:29:22 2012 (r244242) @@ -822,6 +822,7 @@ findpcb: /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); m->m_flags &= ~M_IP_NEXTHOP; + fwd_tag = NULL; } else if (isipv6) { inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src, th->th_sport, &ip6->ip6_dst, th->th_dport, @@ -859,6 +860,7 @@ findpcb: /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); m->m_flags &= ~M_IP_NEXTHOP; + fwd_tag = NULL; } else inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src, th->th_sport, ip->ip_dst, th->th_dport,