Module Name: src
Committed By: ozaki-r
Date: Thu Mar 2 09:48:20 UTC 2017
Modified Files:
src/sys/netinet6: in6.c in6_var.h mld6.c
Log Message:
Plug a race condition on accessing i6mm_maddr
To generate a diff of this commit:
cvs rdiff -u -r1.243 -r1.244 src/sys/netinet6/in6.c
cvs rdiff -u -r1.96 -r1.97 src/sys/netinet6/in6_var.h
cvs rdiff -u -r1.87 -r1.88 src/sys/netinet6/mld6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/in6.c
diff -u src/sys/netinet6/in6.c:1.243 src/sys/netinet6/in6.c:1.244
--- src/sys/netinet6/in6.c:1.243 Thu Mar 2 09:16:46 2017
+++ src/sys/netinet6/in6.c Thu Mar 2 09:48:20 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: in6.c,v 1.243 2017/03/02 09:16:46 ozaki-r Exp $ */
+/* $NetBSD: in6.c,v 1.244 2017/03/02 09:48:20 ozaki-r Exp $ */
/* $KAME: in6.c,v 1.198 2001/07/18 09:12:38 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.243 2017/03/02 09:16:46 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.244 2017/03/02 09:48:20 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1462,10 +1462,11 @@ in6_purge_mcast_references(struct in6_mu
{
struct in6_ifaddr *ia;
+ KASSERT(in6_multi_locked(RW_WRITER));
+
mutex_enter(&in6_ifaddr_lock);
IN6_ADDRLIST_WRITER_FOREACH(ia) {
struct in6_multi_mship *imm;
- /* XXX imm isn't safe? */
LIST_FOREACH(imm, &ia->ia6_memberships, i6mm_chain) {
if (imm->i6mm_maddr == in6m)
imm->i6mm_maddr = NULL;
Index: src/sys/netinet6/in6_var.h
diff -u src/sys/netinet6/in6_var.h:1.96 src/sys/netinet6/in6_var.h:1.97
--- src/sys/netinet6/in6_var.h:1.96 Thu Mar 2 09:16:46 2017
+++ src/sys/netinet6/in6_var.h Thu Mar 2 09:48:20 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: in6_var.h,v 1.96 2017/03/02 09:16:46 ozaki-r Exp $ */
+/* $NetBSD: in6_var.h,v 1.97 2017/03/02 09:48:20 ozaki-r Exp $ */
/* $KAME: in6_var.h,v 1.81 2002/06/08 11:16:51 itojun Exp $ */
/*
@@ -683,6 +683,7 @@ void in6_init(void);
void in6_multi_lock(int);
void in6_multi_unlock(void);
+bool in6_multi_locked(int);
struct in6_multi *
in6_lookup_multi(const struct in6_addr *, const struct ifnet *);
bool in6_multi_group(const struct in6_addr *, const struct ifnet *);
Index: src/sys/netinet6/mld6.c
diff -u src/sys/netinet6/mld6.c:1.87 src/sys/netinet6/mld6.c:1.88
--- src/sys/netinet6/mld6.c:1.87 Thu Mar 2 09:16:46 2017
+++ src/sys/netinet6/mld6.c Thu Mar 2 09:48:20 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: mld6.c,v 1.87 2017/03/02 09:16:46 ozaki-r Exp $ */
+/* $NetBSD: mld6.c,v 1.88 2017/03/02 09:48:20 ozaki-r Exp $ */
/* $KAME: mld6.c,v 1.25 2001/01/16 14:14:18 itojun Exp $ */
/*
@@ -102,7 +102,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: mld6.c,v 1.87 2017/03/02 09:16:46 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mld6.c,v 1.88 2017/03/02 09:48:20 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -915,6 +915,20 @@ in6_multi_unlock(void)
rw_exit(&in6_multilock);
}
+bool
+in6_multi_locked(int op)
+{
+
+ switch (op) {
+ case RW_READER:
+ return rw_read_held(&in6_multilock);
+ case RW_WRITER:
+ return rw_write_held(&in6_multilock);
+ default:
+ return rw_lock_held(&in6_multilock);
+ }
+}
+
struct in6_multi_mship *
in6_joingroup(struct ifnet *ifp, struct in6_addr *addr,
int *errorp, int timer)
@@ -939,9 +953,13 @@ in6_joingroup(struct ifnet *ifp, struct
int
in6_leavegroup(struct in6_multi_mship *imm)
{
+ struct in6_multi *in6m;
- if (imm->i6mm_maddr) {
- in6_delmulti(imm->i6mm_maddr);
+ rw_enter(&in6_multilock, RW_READER);
+ in6m = imm->i6mm_maddr;
+ rw_exit(&in6_multilock);
+ if (in6m != NULL) {
+ in6_delmulti(in6m);
}
free(imm, M_IPMADDR);
return 0;
