diff options
| author | Andrey V. Elsukov <ae@FreeBSD.org> | 2021-03-30 09:31:09 +0000 |
|---|---|---|
| committer | Andrey V. Elsukov <ae@FreeBSD.org> | 2021-03-30 09:31:09 +0000 |
| commit | c80a4b76ceacc5aab322e7ac1407eea8c90cb3b1 (patch) | |
| tree | 5701498123fd76f62bd7fbf7ce8345094ad8807f | |
| parent | b013912772ec9e135b52aaec5f70bc92a191ebdb (diff) | |
| download | src-c80a4b76ceacc5aab322e7ac1407eea8c90cb3b1.tar.gz src-c80a4b76ceacc5aab322e7ac1407eea8c90cb3b1.zip | |
ipdivert: check that PCB is still valid after taking INPCB_RLOCK.
We are inspecting PCBs of divert sockets under NET_EPOCH section,
but PCB could be already detached and we should check INP_FREED flag
when we took INP_RLOCK.
PR: 254478
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D29420
| -rw-r--r-- | sys/netinet/ip_divert.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index 65f1d263b5fa..70d3fbd1f230 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -280,6 +280,10 @@ divert_packet(struct mbuf *m, bool incoming) /* XXX why does only one socket match? */ if (inp->inp_lport == nport) { INP_RLOCK(inp); + if (__predict_false(inp->inp_flags2 & INP_FREED)) { + INP_RUNLOCK(inp); + continue; + } sa = inp->inp_socket; SOCKBUF_LOCK(&sa->so_rcv); if (sbappendaddr_locked(&sa->so_rcv, |