svn commit: r310180 - head/sys/net
Alan Somers
asomers at FreeBSD.org
Fri Dec 16 22:39:32 UTC 2016
Author: asomers
Date: Fri Dec 16 22:39:30 2016
New Revision: 310180
URL: https://svnweb.freebsd.org/changeset/base/310180
Log:
Fix panic during lagg destruction with simultaneous status check
If you run "ifconfig lagg0 destroy" and "ifconfig lagg0" at the same time a
page fault may result. The first process will destroy ifp->if_lagg in
lagg_clone_destroy (called by if_clone_destroy). Then the second process
will observe that ifp->if_lagg is NULL at the top of lagg_port_ioctl and
goto fallback: where it will promptly dereference ifp->if_lagg anyway.
The solution is to repeat the NULL check for ifp->if_lagg
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D8512
Modified:
head/sys/net/if_lagg.c
Modified: head/sys/net/if_lagg.c
==============================================================================
--- head/sys/net/if_lagg.c Fri Dec 16 22:37:16 2016 (r310179)
+++ head/sys/net/if_lagg.c Fri Dec 16 22:39:30 2016 (r310180)
@@ -252,6 +252,7 @@ SYSCTL_INT(_net_link_lagg, OID_AUTO, def
&VNET_NAME(def_flowid_shift), 0,
"Default setting for flowid shift for load sharing");
+#pragma clang optimize off
static void
vnet_lagg_init(const void *unused __unused)
{
@@ -1022,7 +1023,7 @@ lagg_port_ioctl(struct ifnet *ifp, u_lon
return (error);
fallback:
- if (lp->lp_ioctl != NULL)
+ if (lp != NULL && lp->lp_ioctl != NULL)
return ((*lp->lp_ioctl)(ifp, cmd, data));
return (EINVAL);
More information about the svn-src-head
mailing list