Module Name: src
Committed By: ozaki-r
Date: Thu Apr 16 08:54:15 UTC 2015
Modified Files:
src/sys/net: if_bridge.c
Log Message:
Fix racy bridge_delete_member
It can be called from bridge_ioctl_del and bridge_clone_destroy with
a same bridge member (bif) at the same time. We have to prevent
that happens.
Pointed out by riastradh@
To generate a diff of this commit:
cvs rdiff -u -r1.97 -r1.98 src/sys/net/if_bridge.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if_bridge.c
diff -u src/sys/net/if_bridge.c:1.97 src/sys/net/if_bridge.c:1.98
--- src/sys/net/if_bridge.c:1.97 Thu Jan 8 10:47:44 2015
+++ src/sys/net/if_bridge.c Thu Apr 16 08:54:15 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: if_bridge.c,v 1.97 2015/01/08 10:47:44 ozaki-r Exp $ */
+/* $NetBSD: if_bridge.c,v 1.98 2015/04/16 08:54:15 ozaki-r Exp $ */
/*
* Copyright 2001 Wasabi Systems, Inc.
@@ -80,7 +80,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_bridge.c,v 1.97 2015/01/08 10:47:44 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_bridge.c,v 1.98 2015/04/16 08:54:15 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_bridge_ipf.h"
@@ -474,8 +474,10 @@ bridge_clone_destroy(struct ifnet *ifp)
bridge_stop(ifp, 1);
+ BRIDGE_LOCK(sc);
while ((bif = LIST_FIRST(&sc->sc_iflist)) != NULL)
bridge_delete_member(sc, bif);
+ BRIDGE_UNLOCK(sc);
mutex_enter(&bridge_list_lock);
LIST_REMOVE(sc, sc_list);
@@ -815,7 +817,7 @@ bridge_delete_member(struct bridge_softc
{
struct ifnet *ifs = bif->bif_ifp;
- BRIDGE_LOCK(sc);
+ KASSERT(BRIDGE_LOCKED(sc));
ifs->if_input = ether_input;
ifs->if_bridge = NULL;
@@ -840,6 +842,8 @@ bridge_delete_member(struct bridge_softc
#endif
kmem_free(bif, sizeof(*bif));
+
+ BRIDGE_LOCK(sc);
}
static int
@@ -940,10 +944,9 @@ bridge_ioctl_del(struct bridge_softc *sc
return ENOENT;
}
- BRIDGE_UNLOCK(sc);
-
bridge_delete_member(sc, bif);
+ BRIDGE_UNLOCK(sc);
switch (ifs->if_type) {
case IFT_ETHER:
