svn commit: r338969 - head/sys/netinet6
Bjoern A. Zeeb
bz at FreeBSD.org
Thu Sep 27 15:32:38 UTC 2018
Author: bz
Date: Thu Sep 27 15:32:37 2018
New Revision: 338969
URL: https://svnweb.freebsd.org/changeset/base/338969
Log:
In in6_pcbpurgeif0() called, e.g., from if_clone_destroy(),
once we have a lock, make sure the inp is not marked freed.
This can happen since the list traversal and locking was
converted to epoch(9). If the inp is marked "freed", skip it.
This prevents a NULL pointer deref panic later on.
Reported by: slavash (Mellanox)
Tested by: slavash (Mellanox)
Reviewed by: markj (no formal review but caught my unlock mistake)
Approved by: re (kib)
Modified:
head/sys/netinet6/in6_pcb.c
Modified: head/sys/netinet6/in6_pcb.c
==============================================================================
--- head/sys/netinet6/in6_pcb.c Thu Sep 27 15:27:53 2018 (r338968)
+++ head/sys/netinet6/in6_pcb.c Thu Sep 27 15:32:37 2018 (r338969)
@@ -809,6 +809,10 @@ in6_pcbpurgeif0(struct inpcbinfo *pcbinfo, struct ifne
INP_INFO_WLOCK(pcbinfo);
CK_LIST_FOREACH(in6p, pcbinfo->ipi_listhead, inp_list) {
INP_WLOCK(in6p);
+ if (__predict_false(in6p->inp_flags2 & INP_FREED)) {
+ INP_WUNLOCK(in6p);
+ continue;
+ }
im6o = in6p->in6p_moptions;
if ((in6p->inp_vflag & INP_IPV6) && im6o != NULL) {
/*
More information about the svn-src-all
mailing list