Date: Thu, 27 Sep 2018 15:32:37 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r338969 - head/sys/netinet6 Message-ID: <201809271532.w8RFWbUX080944@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Thu Sep 27 15:32:37 2018 New Revision: 338969 URL: https://svnweb.freebsd.org/changeset/base/338969 Log: In in6_pcbpurgeif0() called, e.g., from if_clone_destroy(), once we have a lock, make sure the inp is not marked freed. This can happen since the list traversal and locking was converted to epoch(9). If the inp is marked "freed", skip it. This prevents a NULL pointer deref panic later on. Reported by: slavash (Mellanox) Tested by: slavash (Mellanox) Reviewed by: markj (no formal review but caught my unlock mistake) Approved by: re (kib) Modified: head/sys/netinet6/in6_pcb.c Modified: head/sys/netinet6/in6_pcb.c ============================================================================== --- head/sys/netinet6/in6_pcb.c Thu Sep 27 15:27:53 2018 (r338968) +++ head/sys/netinet6/in6_pcb.c Thu Sep 27 15:32:37 2018 (r338969) @@ -809,6 +809,10 @@ in6_pcbpurgeif0(struct inpcbinfo *pcbinfo, struct ifne INP_INFO_WLOCK(pcbinfo); CK_LIST_FOREACH(in6p, pcbinfo->ipi_listhead, inp_list) { INP_WLOCK(in6p); + if (__predict_false(in6p->inp_flags2 & INP_FREED)) { + INP_WUNLOCK(in6p); + continue; + } im6o = in6p->in6p_moptions; if ((in6p->inp_vflag & INP_IPV6) && im6o != NULL) { /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201809271532.w8RFWbUX080944>