diff options
| author | Andrey V. Elsukov <ae@FreeBSD.org> | 2021-03-30 09:31:09 +0000 |
|---|---|---|
| committer | Andrey V. Elsukov <ae@FreeBSD.org> | 2021-04-06 06:50:55 +0000 |
| commit | 38c299fe856216d6ab38eb5e04d9ee4f8c22995d (patch) | |
| tree | 1e8348c1d53c58ea4d485f72acfc37a590798c3b | |
| parent | 8d415b19409b7709193b2f045d75a6b3bdeaf290 (diff) | |
| download | src-38c299fe856216d6ab38eb5e04d9ee4f8c22995d.tar.gz src-38c299fe856216d6ab38eb5e04d9ee4f8c22995d.zip | |
ipdivert: check that PCB is still valid after taking INPCB_RLOCK.
We are inspecting PCBs of divert sockets under NET_EPOCH section,
but PCB could be already detached and we should check INP_FREED flag
when we took INP_RLOCK.
PR: 254478
Differential Revision: https://reviews.freebsd.org/D29420
(cherry picked from commit c80a4b76ceacc5aab322e7ac1407eea8c90cb3b1)
| -rw-r--r-- | sys/netinet/ip_divert.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index bcde5416456b..81e70177e641 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -278,6 +278,10 @@ divert_packet(struct mbuf *m, int incoming) /* XXX why does only one socket match? */ if (inp->inp_lport == nport) { INP_RLOCK(inp); + if (__predict_false(inp->inp_flags2 & INP_FREED)) { + INP_RUNLOCK(inp); + continue; + } sa = inp->inp_socket; SOCKBUF_LOCK(&sa->so_rcv); if (sbappendaddr_locked(&sa->so_rcv, |