git: f3546eacf0da - main - if_bridge: fix potential panic
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 19 May 2023 13:42:45 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=f3546eacf0daac55fe08b6ad5849b0e440f75ffb
commit f3546eacf0daac55fe08b6ad5849b0e440f75ffb
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-05-18 18:04:45 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-05-19 13:26:52 +0000
if_bridge: fix potential panic
When a new bridge_rtnode is added it is added with a NULL brt_dst. The
brt_dst is set after the entry is added. This means there's a small
window where another core could also attempt to add this node, leading
to the code attempting to log that the MAC addresses moved to a new
interface.
Aside from that being a spurious log entry it also panics, because
obif is NULL (and we attempt to dereference it).
Avoid this by settings brt_dst before we insert the bridge_rtnode.
Assert that obif is non-NULL, as an extra precaution.
Reported by: olivier@
Reviewed by: zlei@
Differential Revision: https://reviews.freebsd.org/D40147
---
sys/net/if_bridge.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index d78c647df0b4..9fe915d31283 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -2940,12 +2940,12 @@ bridge_rtupdate(struct bridge_softc *sc, const uint8_t *dst, uint16_t vlan,
memcpy(brt->brt_addr, dst, ETHER_ADDR_LEN);
brt->brt_vlan = vlan;
+ brt->brt_dst = bif;
if ((error = bridge_rtnode_insert(sc, brt)) != 0) {
uma_zfree(V_bridge_rtnode_zone, brt);
BRIDGE_RT_UNLOCK(sc);
return (error);
}
- brt->brt_dst = bif;
bif->bif_addrcnt++;
BRIDGE_RT_UNLOCK(sc);
@@ -2953,6 +2953,8 @@ bridge_rtupdate(struct bridge_softc *sc, const uint8_t *dst, uint16_t vlan,
if ((brt->brt_flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC &&
(obif = brt->brt_dst) != bif) {
+ MPASS(obif != NULL);
+
BRIDGE_RT_LOCK(sc);
brt->brt_dst->bif_addrcnt--;
brt->brt_dst = bif;