diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index 2e8703439da0..acee34112a27 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -628,11 +628,13 @@ div_pcblist(SYSCTL_HANDLER_ARGS) INP_INFO_RLOCK(&V_divcbinfo); for (inp = LIST_FIRST(V_divcbinfo.ipi_listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - INP_RLOCK(inp); + INP_WLOCK(inp); if (inp->inp_gencnt <= gencnt && - cr_canseeinpcb(req->td->td_ucred, inp) == 0) + cr_canseeinpcb(req->td->td_ucred, inp) == 0) { + in_pcbref(inp); inp_list[i++] = inp; - INP_RUNLOCK(inp); + } + INP_WUNLOCK(inp); } INP_INFO_RUNLOCK(&V_divcbinfo); n = i; @@ -654,6 +656,15 @@ div_pcblist(SYSCTL_HANDLER_ARGS) } else INP_RUNLOCK(inp); } + INP_INFO_WLOCK(&V_divcbinfo); + for (i = 0; i < n; i++) { + inp = inp_list[i]; + INP_WLOCK(inp); + if (!in_pcbrele(inp)) + INP_WUNLOCK(inp); + } + INP_INFO_WUNLOCK(&V_divcbinfo); + if (!error) { /* * Give the user an updated idea of our state. diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 88c1e61d4528..1db37746c83a 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -1011,13 +1011,13 @@ rip_pcblist(SYSCTL_HANDLER_ARGS) INP_INFO_RLOCK(&V_ripcbinfo); for (inp = LIST_FIRST(V_ripcbinfo.ipi_listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - INP_RLOCK(inp); + INP_WLOCK(inp); if (inp->inp_gencnt <= gencnt && cr_canseeinpcb(req->td->td_ucred, inp) == 0) { - /* XXX held references? */ + in_pcbref(inp); inp_list[i++] = inp; } - INP_RUNLOCK(inp); + INP_WUNLOCK(inp); } INP_INFO_RUNLOCK(&V_ripcbinfo); n = i; @@ -1040,6 +1040,15 @@ rip_pcblist(SYSCTL_HANDLER_ARGS) } else INP_RUNLOCK(inp); } + INP_INFO_WLOCK(&V_ripcbinfo); + for (i = 0; i < n; i++) { + inp = inp_list[i]; + INP_WLOCK(inp); + if (!in_pcbrele(inp)) + INP_WUNLOCK(inp); + } + INP_INFO_WUNLOCK(&V_ripcbinfo); + if (!error) { /* * Give the user an updated idea of our state. If the diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 4a2f21f18b34..9ec434c0c341 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1108,7 +1108,7 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) INP_INFO_RLOCK(&V_tcbinfo); for (inp = LIST_FIRST(V_tcbinfo.ipi_listhead), i = 0; inp != NULL && i < n; inp = LIST_NEXT(inp, inp_list)) { - INP_RLOCK(inp); + INP_WLOCK(inp); if (inp->inp_gencnt <= gencnt) { /* * XXX: This use of cr_cansee(), introduced with @@ -1123,10 +1123,12 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) error = EINVAL; /* Skip this inp. */ } else error = cr_canseeinpcb(req->td->td_ucred, inp); - if (error == 0) + if (error == 0) { + in_pcbref(inp); inp_list[i++] = inp; + } } - INP_RUNLOCK(inp); + INP_WUNLOCK(inp); } INP_INFO_RUNLOCK(&V_tcbinfo); n = i; @@ -1165,8 +1167,16 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) error = SYSCTL_OUT(req, &xt, sizeof xt); } else INP_RUNLOCK(inp); - } + INP_INFO_WLOCK(&V_tcbinfo); + for (i = 0; i < n; i++) { + inp = inp_list[i]; + INP_WLOCK(inp); + if (!in_pcbrele(inp)) + INP_WUNLOCK(inp); + } + INP_INFO_WUNLOCK(&V_tcbinfo); + if (!error) { /* * Give the user an updated idea of our state. diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index e0189d3227a0..0d8e04deaf68 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -746,11 +746,13 @@ udp_pcblist(SYSCTL_HANDLER_ARGS) INP_INFO_RLOCK(&V_udbinfo); for (inp = LIST_FIRST(V_udbinfo.ipi_listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - INP_RLOCK(inp); + INP_WLOCK(inp); if (inp->inp_gencnt <= gencnt && - cr_canseeinpcb(req->td->td_ucred, inp) == 0) + cr_canseeinpcb(req->td->td_ucred, inp) == 0) { + in_pcbref(inp); inp_list[i++] = inp; - INP_RUNLOCK(inp); + } + INP_WUNLOCK(inp); } INP_INFO_RUNLOCK(&V_udbinfo); n = i; @@ -761,6 +763,7 @@ udp_pcblist(SYSCTL_HANDLER_ARGS) INP_RLOCK(inp); if (inp->inp_gencnt <= gencnt) { struct xinpcb xi; + bzero(&xi, sizeof(xi)); xi.xi_len = sizeof xi; /* XXX should avoid extra copy */ @@ -773,6 +776,15 @@ udp_pcblist(SYSCTL_HANDLER_ARGS) } else INP_RUNLOCK(inp); } + INP_INFO_WLOCK(&V_udbinfo); + for (i = 0; i < n; i++) { + inp = inp_list[i]; + INP_WLOCK(inp); + if (!in_pcbrele(inp)) + INP_WUNLOCK(inp); + } + INP_INFO_WUNLOCK(&V_udbinfo); + if (!error) { /* * Give the user an updated idea of our state. If the