Ensure that sctp_it_ctl.cur_it does not point to a free object (during

a small time window). Thanks to Byron Campen for reporting the issue and suggesting a fix. MFC after: 3 days
2016-08-15 10:16:08 +00:00 · 2016-08-15 10:16:08 +00:00 · dcb436c936
commit dcb436c936
parent 47ead00d5b
1 changed files with 2 additions and 2 deletions
--- a/sys/netinet/sctputil.c
+++ b/sys/netinet/sctputil.c
@ -1280,6 +1280,7 @@ sctp_iterator_work(struct sctp_iterator *it)

 	SCTP_INP_INFO_RLOCK();
 	SCTP_ITERATOR_LOCK();
+	sctp_it_ctl.cur_it = it;
 	if (it->inp) {
 		SCTP_INP_RLOCK(it->inp);
 		SCTP_INP_DECR_REF(it->inp);
@ -1287,6 +1288,7 @@ sctp_iterator_work(struct sctp_iterator *it)
 	if (it->inp == NULL) {
 		/* iterator is complete */
 done_with_iterator:
+		sctp_it_ctl.cur_it = NULL;
 		SCTP_ITERATOR_UNLOCK();
 		SCTP_INP_INFO_RUNLOCK();
 		if (it->function_atend != NULL) {
@ -1427,13 +1429,11 @@ sctp_iterator_worker(void)

 	sctp_it_ctl.iterator_running = 1;
 	TAILQ_FOREACH_SAFE(it, &sctp_it_ctl.iteratorhead, sctp_nxt_itr, nit) {
-		sctp_it_ctl.cur_it = it;
 		/* now lets work on this one */
 		TAILQ_REMOVE(&sctp_it_ctl.iteratorhead, it, sctp_nxt_itr);
 		SCTP_IPI_ITERATOR_WQ_UNLOCK();
 		CURVNET_SET(it->vn);
 		sctp_iterator_work(it);
-		sctp_it_ctl.cur_it = NULL;
 		CURVNET_RESTORE();
 		SCTP_IPI_ITERATOR_WQ_LOCK();
 		/* sa_ignore FREED_MEMORY */