From e62e4b859428e051ec6495e38626fa91f992ac74 Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Fri, 25 Sep 2020 18:55:50 +0000 Subject: [PATCH] ng_l2tp: Fix callout synchronization in the rexmit timeout handler A received control packet may cause the transmit queue to be flushed, in which case ng_l2tp_seq_recv_nr() cancels the transmit timeout handler. The handler checks to see if it was cancelled before doing anything, but did so before acquiring the node lock, so a small race window could cause ng_l2tp_seq_rack_timeout() to attempt to flush an empty queue, ultimately causing a null pointer dereference. PR: 241133 Reviewed by: bz, glebius, Lutz Donnerhacke MFC after: 3 days Sponsored by: Rubicon Communications, LLC (Netgate) Differential Revision: https://reviews.freebsd.org/D26548 --- sys/netgraph/ng_l2tp.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/sys/netgraph/ng_l2tp.c b/sys/netgraph/ng_l2tp.c index 91f6004961ec..9b6f19f9f0ad 100644 --- a/sys/netgraph/ng_l2tp.c +++ b/sys/netgraph/ng_l2tp.c @@ -1453,15 +1453,17 @@ ng_l2tp_seq_rack_timeout(node_p node, hook_p hook, void *arg1, int arg2) struct mbuf *m; u_int delay; - /* Make sure callout is still active before doing anything */ - if (callout_pending(&seq->rack_timer) || - (!callout_active(&seq->rack_timer))) - return; - /* Sanity check */ L2TP_SEQ_CHECK(seq); mtx_lock(&seq->mtx); + /* Make sure callout is still active before doing anything */ + if (callout_pending(&seq->rack_timer) || + !callout_active(&seq->rack_timer)) { + mtx_unlock(&seq->mtx); + return; + } + priv->stats.xmitRetransmits++; /* Have we reached the retransmit limit? If so, notify owner. */