From 50ec8b3b3e9b31cf6c6b1249410c29be97a0ce89 Mon Sep 17 00:00:00 2001 From: "Andrey V. Elsukov" Date: Thu, 9 May 2019 07:57:33 +0000 Subject: [PATCH] In mld_v2_cancel_link_timers() check number of references and disconnect inm before releasing the last reference. This fixes possible panics and assertion. PR: 237329 Reviewed by: mmacy MFC after: 2 weeks --- sys/netinet6/mld6.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/netinet6/mld6.c b/sys/netinet6/mld6.c index 62632e989c88..a2544871e32b 100644 --- a/sys/netinet6/mld6.c +++ b/sys/netinet6/mld6.c @@ -1708,6 +1708,8 @@ mld_v2_cancel_link_timers(struct mld_ifsoftc *mli) * version, we need to release the final * reference held for issuing the INCLUDE {}. */ + if (inm->in6m_refcount == 1) + in6m_disconnect_locked(&inmh, inm); in6m_rele_locked(&inmh, inm); /* FALLTHROUGH */ case MLD_G_QUERY_PENDING_MEMBER: