diff options
| author | Andrey V. Elsukov <ae@FreeBSD.org> | 2021-03-30 09:31:09 +0000 |
|---|---|---|
| committer | Andrey V. Elsukov <ae@FreeBSD.org> | 2021-04-06 06:47:54 +0000 |
| commit | 6b8c65318e81a451b33ed57b84a5495284dcb20f (patch) | |
| tree | ae9e0c11ca6ebc2be8ece80e06746e0cbaf2d3c4 | |
| parent | 5524122ee3b78b3a9bba1d0a0d9b8ac080a8e6d8 (diff) | |
| download | src-6b8c65318e81a451b33ed57b84a5495284dcb20f.tar.gz src-6b8c65318e81a451b33ed57b84a5495284dcb20f.zip | |
ipdivert: check that PCB is still valid after taking INPCB_RLOCK.
We are inspecting PCBs of divert sockets under NET_EPOCH section,
but PCB could be already detached and we should check INP_FREED flag
when we took INP_RLOCK.
PR: 254478
Differential Revision: https://reviews.freebsd.org/D29420
(cherry picked from commit c80a4b76ceacc5aab322e7ac1407eea8c90cb3b1)
| -rw-r--r-- | sys/netinet/ip_divert.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index 65f1d263b5fa..70d3fbd1f230 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -280,6 +280,10 @@ divert_packet(struct mbuf *m, bool incoming) /* XXX why does only one socket match? */ if (inp->inp_lport == nport) { INP_RLOCK(inp); + if (__predict_false(inp->inp_flags2 & INP_FREED)) { + INP_RUNLOCK(inp); + continue; + } sa = inp->inp_socket; SOCKBUF_LOCK(&sa->so_rcv); if (sbappendaddr_locked(&sa->so_rcv, |