Author: markj Date: Fri Jan 3 17:03:10 2020 New Revision: 356321 URL: https://svnweb.freebsd.org/changeset/base/356321
Log: Take the ifnet's address lock in igmp_v3_cancel_link_timers(). inm_rele_locked() may remove the multicast address associated with inm. Reported by: syzbot+871c5d1fd5fac6c28...@syzkaller.appspotmail.com Reviewed by: hselasky MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D23009 Modified: head/sys/netinet/igmp.c Modified: head/sys/netinet/igmp.c ============================================================================== --- head/sys/netinet/igmp.c Fri Jan 3 16:28:10 2020 (r356320) +++ head/sys/netinet/igmp.c Fri Jan 3 17:03:10 2020 (r356321) @@ -1981,7 +1981,7 @@ igmp_set_version(struct igmp_ifsoftc *igi, const int v static void igmp_v3_cancel_link_timers(struct igmp_ifsoftc *igi) { - struct ifmultiaddr *ifma; + struct ifmultiaddr *ifma, *ifmatmp; struct ifnet *ifp; struct in_multi *inm; struct in_multi_head inm_free_tmp; @@ -2007,7 +2007,8 @@ igmp_v3_cancel_link_timers(struct igmp_ifsoftc *igi) * for all memberships scoped to this link. */ ifp = igi->igi_ifp; - CK_STAILQ_FOREACH(ifma, &ifp->if_multiaddrs, ifma_link) { + IF_ADDR_WLOCK(ifp); + CK_STAILQ_FOREACH_SAFE(ifma, &ifp->if_multiaddrs, ifma_link, ifmatmp) { if (ifma->ifma_addr->sa_family != AF_INET || ifma->ifma_protospec == NULL) continue; @@ -2051,6 +2052,7 @@ igmp_v3_cancel_link_timers(struct igmp_ifsoftc *igi) inm->inm_timer = 0; mbufq_drain(&inm->inm_scq); } + IF_ADDR_WUNLOCK(ifp); inm_release_list_deferred(&inm_free_tmp); } _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
