Module Name: src
Committed By: ozaki-r
Date: Thu May 25 02:43:43 UTC 2017
Modified Files:
src/sys/netinet: in.c
Log Message:
Fix that a fresh in_ifaddr is unexpectedly freed before activating it
An in_ifaddr object is initialized with refcnt=0 and the refcnt
is incremented when being enqueued to the lists. However before
enqueuing it, in_ifinit can hold and refelease a reference to
it, i.e., call ifaref and ifafree, resulting in that the object
is freed in ifafree because its refcnt is decremented to 0.
It can be reproduced by doing:
ifconfig tun0 create
ifconfig tun1 create
ifconfig tun0 10.1 10.2
ifconfig tun1 10.2 10.1
ifconfig # Cause a kernel panic (may depend on environmemts)
We need to initialize a created in_ifaddr object with refcnt=1
to make the object survive over in_ifinit.
The issue is found by ryo@
To generate a diff of this commit:
cvs rdiff -u -r1.201 -r1.202 src/sys/netinet/in.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
