In udp_input() when walking the pcblist we can come across

an inp marked FREED after the epoch(9) changes. Check once we hold the lock and skip the inp if it is the case. Contrary to IPv6 the locking of the inp is outside the multicast section and hence a single check seems to suffice. PR: 232192 Reviewed by: mmacy, markj Approved by: re (kib) Differential Revision: https://reviews.freebsd.org/D17540
svn path=/head/; revision=339339
2018-10-12 22:51:45 +00:00 · 2018-10-12 22:51:45 +00:00 · 4ba16a92c7 · 2020-12-20 02:59:44 +00:00
commit 4ba16a92c7
parent 77c1fcec91
1 changed files with 5 additions and 0 deletions
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@ -551,6 +551,11 @@ udp_input(struct mbuf **mp, int *offp, int proto)

 			INP_RLOCK(inp);

+			if (__predict_false(inp->inp_flags2 & INP_FREED)) {
+				INP_RUNLOCK(inp);
+				continue;
+			}
+
 			/*
 			 * XXXRW: Because we weren't holding either the inpcb
 			 * or the hash lock when we checked for a match