Fix panic during lagg destruction with simultaneous status check

If you run "ifconfig lagg0 destroy" and "ifconfig lagg0" at the same time a page fault may result. The first process will destroy ifp->if_lagg in lagg_clone_destroy (called by if_clone_destroy). Then the second process will observe that ifp->if_lagg is NULL at the top of lagg_port_ioctl and goto fallback: where it will promptly dereference ifp->if_lagg anyway. The solution is to repeat the NULL check for ifp->if_lagg MFC after: 4 weeks Sponsored by: Spectra Logic Corp Differential Revision: https://reviews.freebsd.org/D8512
2016-12-16 22:39:30 +00:00 · 2016-12-16 22:39:30 +00:00 · d9fa2d67eb
commit d9fa2d67eb
parent 5b3b877f89
1 changed files with 2 additions and 1 deletions
--- a/sys/net/if_lagg.c
+++ b/sys/net/if_lagg.c
@ -252,6 +252,7 @@ SYSCTL_INT(_net_link_lagg, OID_AUTO, default_flowid_shift, CTLFLAG_RWTUN,
    &VNET_NAME(def_flowid_shift), 0,
    "Default setting for flowid shift for load sharing");

+#pragma clang optimize off
 static void
 vnet_lagg_init(const void *unused __unused)
 {
@ -1022,7 +1023,7 @@ lagg_port_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 	return (error);

 fallback:
-	if (lp->lp_ioctl != NULL)
+	if (lp != NULL && lp->lp_ioctl != NULL)
 		return ((*lp->lp_ioctl)(ifp, cmd, data));

 	return (EINVAL);