Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netinet6 Plug a race condition on accessing i6mm_maddr
details: https://anonhg.NetBSD.org/src/rev/229ebc2802cd
branches: trunk
changeset: 351872:229ebc2802cd
user: ozaki-r <ozaki-r%NetBSD.org@localhost>
date: Thu Mar 02 09:48:20 2017 +0000
description:
Plug a race condition on accessing i6mm_maddr
diffstat:
sys/netinet6/in6.c | 7 ++++---
sys/netinet6/in6_var.h | 3 ++-
sys/netinet6/mld6.c | 26 ++++++++++++++++++++++----
3 files changed, 28 insertions(+), 8 deletions(-)
diffs (103 lines):
diff -r b29358adacc0 -r 229ebc2802cd sys/netinet6/in6.c
--- a/sys/netinet6/in6.c Thu Mar 02 09:16:46 2017 +0000
+++ b/sys/netinet6/in6.c Thu Mar 02 09:48:20 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in6.c,v 1.243 2017/03/02 09:16:46 ozaki-r Exp $ */
+/* $NetBSD: in6.c,v 1.244 2017/03/02 09:48:20 ozaki-r Exp $ */
/* $KAME: in6.c,v 1.198 2001/07/18 09:12:38 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.243 2017/03/02 09:16:46 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.244 2017/03/02 09:48:20 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1462,10 +1462,11 @@
{
struct in6_ifaddr *ia;
+ KASSERT(in6_multi_locked(RW_WRITER));
+
mutex_enter(&in6_ifaddr_lock);
IN6_ADDRLIST_WRITER_FOREACH(ia) {
struct in6_multi_mship *imm;
- /* XXX imm isn't safe? */
LIST_FOREACH(imm, &ia->ia6_memberships, i6mm_chain) {
if (imm->i6mm_maddr == in6m)
imm->i6mm_maddr = NULL;
diff -r b29358adacc0 -r 229ebc2802cd sys/netinet6/in6_var.h
--- a/sys/netinet6/in6_var.h Thu Mar 02 09:16:46 2017 +0000
+++ b/sys/netinet6/in6_var.h Thu Mar 02 09:48:20 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in6_var.h,v 1.96 2017/03/02 09:16:46 ozaki-r Exp $ */
+/* $NetBSD: in6_var.h,v 1.97 2017/03/02 09:48:20 ozaki-r Exp $ */
/* $KAME: in6_var.h,v 1.81 2002/06/08 11:16:51 itojun Exp $ */
/*
@@ -683,6 +683,7 @@
void in6_multi_lock(int);
void in6_multi_unlock(void);
+bool in6_multi_locked(int);
struct in6_multi *
in6_lookup_multi(const struct in6_addr *, const struct ifnet *);
bool in6_multi_group(const struct in6_addr *, const struct ifnet *);
diff -r b29358adacc0 -r 229ebc2802cd sys/netinet6/mld6.c
--- a/sys/netinet6/mld6.c Thu Mar 02 09:16:46 2017 +0000
+++ b/sys/netinet6/mld6.c Thu Mar 02 09:48:20 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: mld6.c,v 1.87 2017/03/02 09:16:46 ozaki-r Exp $ */
+/* $NetBSD: mld6.c,v 1.88 2017/03/02 09:48:20 ozaki-r Exp $ */
/* $KAME: mld6.c,v 1.25 2001/01/16 14:14:18 itojun Exp $ */
/*
@@ -102,7 +102,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: mld6.c,v 1.87 2017/03/02 09:16:46 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mld6.c,v 1.88 2017/03/02 09:48:20 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -915,6 +915,20 @@
rw_exit(&in6_multilock);
}
+bool
+in6_multi_locked(int op)
+{
+
+ switch (op) {
+ case RW_READER:
+ return rw_read_held(&in6_multilock);
+ case RW_WRITER:
+ return rw_write_held(&in6_multilock);
+ default:
+ return rw_lock_held(&in6_multilock);
+ }
+}
+
struct in6_multi_mship *
in6_joingroup(struct ifnet *ifp, struct in6_addr *addr,
int *errorp, int timer)
@@ -939,9 +953,13 @@
int
in6_leavegroup(struct in6_multi_mship *imm)
{
+ struct in6_multi *in6m;
- if (imm->i6mm_maddr) {
- in6_delmulti(imm->i6mm_maddr);
+ rw_enter(&in6_multilock, RW_READER);
+ in6m = imm->i6mm_maddr;
+ rw_exit(&in6_multilock);
+ if (in6m != NULL) {
+ in6_delmulti(in6m);
}
free(imm, M_IPMADDR);
return 0;
Home |
Main Index |
Thread Index |
Old Index