Date: Thu, 20 Sep 2018 15:45:53 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r338831 - head/sys/netinet6 Message-ID: <201809201545.w8KFjrAn081397@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Thu Sep 20 15:45:53 2018 New Revision: 338831 URL: https://svnweb.freebsd.org/changeset/base/338831 Log: In icmp6_rip6_input(), once we have a lock, make sure the inp is not freed. This can happen since the list traversal and locking was converted to epoch(9). If the inp is marked "freed", skip it. This prevents a NULL pointer deref panic in ip6_savecontrol_v4() trying to access the socket hanging off the inp, which was gone by the time we got there. Reported by: andrew Tested by: andrew Approved by: re (gjb) Modified: head/sys/netinet6/icmp6.c Modified: head/sys/netinet6/icmp6.c ============================================================================== --- head/sys/netinet6/icmp6.c Thu Sep 20 15:45:12 2018 (r338830) +++ head/sys/netinet6/icmp6.c Thu Sep 20 15:45:53 2018 (r338831) @@ -1936,6 +1936,10 @@ icmp6_rip6_input(struct mbuf **mp, int off) !IN6_ARE_ADDR_EQUAL(&in6p->in6p_faddr, &ip6->ip6_src)) continue; INP_RLOCK(in6p); + if (__predict_false(in6p->inp_flags2 & INP_FREED)) { + INP_RUNLOCK(in6p); + continue; + } if (ICMP6_FILTER_WILLBLOCK(icmp6->icmp6_type, in6p->in6p_icmp6filt)) { INP_RUNLOCK(in6p);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201809201545.w8KFjrAn081397>