The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=cbb019b831ad59ead34b825bf053169ebbe81bbf
commit cbb019b831ad59ead34b825bf053169ebbe81bbf Author: Kristof Provost <[email protected]> AuthorDate: 2022-07-04 20:36:43 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2022-07-05 16:59:00 +0000 dummynet: fix ip_dn_vnet_init() / dummynet_task() race If dummynet_task() is run on a vnet where dummynet is still initialising (i.e. still running ip_dn_vnet_init()) we can attempt to use an uninitialised mutex. We can use the existing init_done field to check if the per-vnet V_dn_cfg is fully set up, if we ensure that it's only set to 1 when we've done all of the init work. Reported by: Alfredo Dal'Ava JĂșnior <[email protected]> Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D35716 --- sys/netpfil/ipfw/ip_dn_io.c | 5 +++++ sys/netpfil/ipfw/ip_dummynet.c | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/ipfw/ip_dn_io.c b/sys/netpfil/ipfw/ip_dn_io.c index deeb3d9325de..7a85714fa0c6 100644 --- a/sys/netpfil/ipfw/ip_dn_io.c +++ b/sys/netpfil/ipfw/ip_dn_io.c @@ -669,6 +669,11 @@ dummynet_task(void *context, int pending) memset(&q, 0, sizeof(struct mq)); CURVNET_SET(vnet_iter); + if (! V_dn_cfg.init_done) { + CURVNET_RESTORE(); + continue; + } + DN_BH_WLOCK(); /* Update number of lost(coalesced) ticks. */ diff --git a/sys/netpfil/ipfw/ip_dummynet.c b/sys/netpfil/ipfw/ip_dummynet.c index 46300b90007e..503fbef6f530 100644 --- a/sys/netpfil/ipfw/ip_dummynet.c +++ b/sys/netpfil/ipfw/ip_dummynet.c @@ -2562,7 +2562,7 @@ ip_dn_vnet_init(void) { if (V_dn_cfg.init_done) return; - V_dn_cfg.init_done = 1; + /* Set defaults here. MSVC does not accept initializers, * and this is also useful for vimages */ @@ -2601,6 +2601,8 @@ ip_dn_vnet_init(void) /* Initialize curr_time adjustment mechanics. */ getmicrouptime(&V_dn_cfg.prev_t); + + V_dn_cfg.init_done = 1; } static void
