kern/157209: [patch] locking error in rip6_input() (sys/netinet6/raw_ip6.c)

[Dmitrij Tejblum]

>Number:         157209
>Category:       kern
>Synopsis:       [patch] locking error in rip6_input() (sys/netinet6/raw_ip6.c)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 20 12:40:10 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Dmitrij Tejblum
>Release:        8.2-STABLE
>Organization:
Yandex
>Environment:
>Description:
On a failure path in rip6_input(), the PCB is unlocked before the lock is taken.
>How-To-Repeat:

>Fix:
A possible quick patch is attached; anothe quick possibility would be to remove the unlock.

Patch attached with submission follows:

--- sys/netinet6/raw_ip6.c	2010-08-31 19:52:12.000000000 +0400
+++ sys/netinet6/raw_ip6.c	2011-05-14 00:27:24.000000000 +0400
@@ -193,20 +193,20 @@
 			if (!IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) &&
 			    prison_check_ip6(in6p->inp_cred,
 			    &ip6->ip6_dst) != 0)
 				continue;
 		}
+		INP_RLOCK(in6p);
 		if (in6p->in6p_cksum != -1) {
 			V_rip6stat.rip6s_isum++;
 			if (in6_cksum(m, proto, *offp,
 			    m->m_pkthdr.len - *offp)) {
 				INP_RUNLOCK(in6p);
 				V_rip6stat.rip6s_badsum++;
 				continue;
 			}
 		}
-		INP_RLOCK(in6p);
 		/*
 		 * If this raw socket has multicast state, and we
 		 * have received a multicast, check if this socket
 		 * should receive it, as multicast filtering is now
 		 * the responsibility of the transport layer.


>Release-Note:
>Audit-Trail:
>Unformatted: