kern/172963: Kernel panic in udp_input()
Charbon, Julien
jcharbon at verisign.com
Tue Apr 9 15:00:04 UTC 2013
The following reply was made to PR kern/172963; it has been noted by GNATS.
From: "Charbon, Julien" <jcharbon at verisign.com>
To: bug-followup at FreeBSD.org
Cc: rwatson at FreeBSD.org,
"De La Gueronniere, Marc" <mdelagueronniere at verisign.com>
Subject: Re: kern/172963: Kernel panic in udp_input()
Date: Tue, 09 Apr 2013 16:51:41 +0200
This is a multi-part message in MIME format.
--------------000809060905090504090109
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
I confirm this issue is still reproducible in FreeBSD 8.4-BETA1.
Joined a smaller patch wrote my Marc to fix it.
--
Julien
--------------000809060905090504090109
Content-Type: text/plain; charset=UTF-8; x-mac-type="0"; x-mac-creator="0";
name="udp_input_panic_minimal.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="udp_input_panic_minimal.patch"
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index b720364..25c741a 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -493,7 +493,14 @@ udp_input(struct mbuf *m, int off)
continue;
INP_RLOCK(inp);
-
+ /*
+ * detached PCBs can linger in the list if
+ * someone holds a reference. (e.g. udp_pcblist)
+ */
+ if (inp->inp_socket == NULL) {
+ INP_RUNLOCK(inp);
+ continue;
+ }
/*
* Handle socket delivery policy for any-source
* and source-specific multicast. [RFC3678]
@@ -620,6 +627,14 @@ udp_input(struct mbuf *m, int off)
*/
INP_RLOCK(inp);
INP_INFO_RUNLOCK(&V_udbinfo);
+ /*
+ * detached PCBs can linger in the hash table if
+ * someone holds a reference. (e.g. udp_pcblist)
+ */
+ if (inp->inp_socket == NULL) {
+ INP_RUNLOCK(inp);
+ goto badunlocked;
+ }
if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl) {
INP_RUNLOCK(inp);
goto badunlocked;
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index 22ddde4..78b4b84 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -271,7 +271,13 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
inp->inp_fport != uh->uh_sport)
continue;
}
-
+ /*
+ * detached PCBs can linger in the list if
+ * someone holds a reference. (e.g. udp_pcblist)
+ */
+ if (inp->inp_socket == NULL) {
+ continue;
+ }
/*
* Handle socket delivery policy for any-source
* and source-specific multicast. [RFC3678]
@@ -396,6 +402,14 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
}
INP_RLOCK(inp);
INP_INFO_RUNLOCK(&V_udbinfo);
+ /*
+ * detached PCBs can linger in the hash table if
+ * someone holds a reference. (e.g. udp_pcblist)
+ */
+ if (inp->inp_socket == NULL) {
+ INP_RUNLOCK(inp);
+ goto badunlocked;
+ }
up = intoudpcb(inp);
if (up->u_tun_func == NULL) {
udp6_append(inp, m, off, &fromsa);
--------------000809060905090504090109--
More information about the freebsd-bugs
mailing list