From owner-svn-src-head@freebsd.org  Sun Jul 15 00:47:07 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C648E10454A5;
 Sun, 15 Jul 2018 00:47:07 +0000 (UTC)
 (envelope-from mmacy@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 7B91C8FC35;
 Sun, 15 Jul 2018 00:47:07 +0000 (UTC)
 (envelope-from mmacy@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3E8AE2670C;
 Sun, 15 Jul 2018 00:47:07 +0000 (UTC)
 (envelope-from mmacy@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w6F0l6K8075706;
 Sun, 15 Jul 2018 00:47:06 GMT (envelope-from mmacy@FreeBSD.org)
Received: (from mmacy@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w6F0l68J075705;
 Sun, 15 Jul 2018 00:47:06 GMT (envelope-from mmacy@FreeBSD.org)
Message-Id: <201807150047.w6F0l68J075705@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: mmacy set sender to
 mmacy@FreeBSD.org using -f
From: Matt Macy <mmacy@FreeBSD.org>
Date: Sun, 15 Jul 2018 00:47:06 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r336301 - head/sys/netinet6
X-SVN-Group: head
X-SVN-Commit-Author: mmacy
X-SVN-Commit-Paths: head/sys/netinet6
X-SVN-Commit-Revision: 336301
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jul 2018 00:47:08 -0000

Author: mmacy
Date: Sun Jul 15 00:47:06 2018
New Revision: 336301
URL: https://svnweb.freebsd.org/changeset/base/336301

Log:
  acquire inp lock around ip6_pcbopt to fix IPV6_TCLASS panic
  
  Simple fix to address panics relating to setting IPV6_TCLASS
  with setsockopt(). The premise of this change is that it is
  ok to call malloc with M_NOWAIT while holding a lock on the
  in6p.
  
  If it later turns out that it is not ok, then major surgery
  will be required, as ip6_setpktopt() will have to be fixed
  (as it also calls malloc with M_NOWAIT) which pulls in the
  ip6_pcbopts(), ip6_setpktopts(), ip6_setpktopt() call chain.
  
  Submitted by:	Jason Eggnet
  Reviewed by:	rrs, transport, sbruno
  Sponsored by:	Limelight Networks
  Differential Revision:	https://reviews.freebsd.org/D16201

Modified:
  head/sys/netinet6/ip6_output.c

Modified: head/sys/netinet6/ip6_output.c
==============================================================================
--- head/sys/netinet6/ip6_output.c	Sun Jul 15 00:31:17 2018	(r336300)
+++ head/sys/netinet6/ip6_output.c	Sun Jul 15 00:47:06 2018	(r336301)
@@ -1636,11 +1636,17 @@ do {									\
 						error = EINVAL;
 						break;
 					}
+					INP_WLOCK(in6p);
+					if (in6p->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
+						INP_WUNLOCK(in6p);
+						return (ECONNRESET);
+					}
 					optp = &in6p->in6p_outputopts;
 					error = ip6_pcbopt(IPV6_HOPLIMIT,
 					    (u_char *)&optval, sizeof(optval),
 					    optp, (td != NULL) ? td->td_ucred :
 					    NULL, uproto);
+					INP_WUNLOCK(in6p);
 					break;
 				}
 
@@ -1750,11 +1756,17 @@ do {									\
 					break;
 				{
 					struct ip6_pktopts **optp;
+					INP_WLOCK(in6p);
+					if (in6p->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
+						INP_WUNLOCK(in6p);
+						return (ECONNRESET);
+					}
 					optp = &in6p->in6p_outputopts;
 					error = ip6_pcbopt(optname,
 					    (u_char *)&optval, sizeof(optval),
 					    optp, (td != NULL) ? td->td_ucred :
 					    NULL, uproto);
+					INP_WUNLOCK(in6p);
 					break;
 				}
 
@@ -1836,10 +1848,16 @@ do {									\
 					break;
 				optlen = sopt->sopt_valsize;
 				optbuf = optbuf_storage;
+				INP_WLOCK(in6p);
+				if (in6p->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
+					INP_WUNLOCK(in6p);
+					return (ECONNRESET);
+				}
 				optp = &in6p->in6p_outputopts;
 				error = ip6_pcbopt(optname, optbuf, optlen,
 				    optp, (td != NULL) ? td->td_ucred : NULL,
 				    uproto);
+				INP_WUNLOCK(in6p);
 				break;
 			}
 #undef OPTSET
@@ -2286,7 +2304,9 @@ ip6_pcbopt(int optname, u_char *buf, int len, struct i
 
 	if (*pktopt == NULL) {
 		*pktopt = malloc(sizeof(struct ip6_pktopts), M_IP6OPT,
-		    M_WAITOK);
+		    M_NOWAIT);
+		if (*pktopt == NULL)
+			return (ENOBUFS);
 		ip6_initpktopts(*pktopt);
 	}
 	opt = *pktopt;