Handle INP_FREED when looking up an inpcb

When hash table lookups are not serialized with in_pcbfree it will be possible for callers to find an inpcb that has been marked free. We need to check for this and return NULL.
2018-06-13 04:23:49 +00:00 · 2018-06-13 04:23:49 +00:00 · 5fa208f76c
commit 5fa208f76c
parent c4f7676726
1 changed files with 8 additions and 1 deletions
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@ -2209,7 +2209,14 @@ in_pcblookup_group(struct inpcbinfo *pcbinfo, struct inpcbgroup *pcbgroup,
 		locked = INP_TRY_RLOCK(inp);
 	else
 		panic("%s: locking bug", __func__);
-	if (!locked)
+	if (__predict_false(locked && (inp->inp_flags2 & INP_FREED))) {
+		if (lookupflags & INPLOOKUP_WLOCKPCB)
+			INP_WUNLOCK(inp);
+		else
+			INP_RUNLOCK(inp);
+		INP_HASH_RUNLOCK(pcbinfo);
+		return (NULL);
+	} else if (!locked)
 		in_pcbref(inp);
 	INP_GROUP_UNLOCK(pcbgroup);
 	if (!locked) {