Author: markj Date: Fri Sep 25 18:55:50 2020 New Revision: 366167 URL: https://svnweb.freebsd.org/changeset/base/366167
Log: ng_l2tp: Fix callout synchronization in the rexmit timeout handler A received control packet may cause the transmit queue to be flushed, in which case ng_l2tp_seq_recv_nr() cancels the transmit timeout handler. The handler checks to see if it was cancelled before doing anything, but did so before acquiring the node lock, so a small race window could cause ng_l2tp_seq_rack_timeout() to attempt to flush an empty queue, ultimately causing a null pointer dereference. PR: 241133 Reviewed by: bz, glebius, Lutz Donnerhacke MFC after: 3 days Sponsored by: Rubicon Communications, LLC (Netgate) Differential Revision: https://reviews.freebsd.org/D26548 Modified: head/sys/netgraph/ng_l2tp.c Modified: head/sys/netgraph/ng_l2tp.c ============================================================================== --- head/sys/netgraph/ng_l2tp.c Fri Sep 25 18:21:50 2020 (r366166) +++ head/sys/netgraph/ng_l2tp.c Fri Sep 25 18:55:50 2020 (r366167) @@ -1453,15 +1453,17 @@ ng_l2tp_seq_rack_timeout(node_p node, hook_p hook, voi struct mbuf *m; u_int delay; - /* Make sure callout is still active before doing anything */ - if (callout_pending(&seq->rack_timer) || - (!callout_active(&seq->rack_timer))) - return; - /* Sanity check */ L2TP_SEQ_CHECK(seq); mtx_lock(&seq->mtx); + /* Make sure callout is still active before doing anything */ + if (callout_pending(&seq->rack_timer) || + !callout_active(&seq->rack_timer)) { + mtx_unlock(&seq->mtx); + return; + } + priv->stats.xmitRetransmits++; /* Have we reached the retransmit limit? If so, notify owner. */ _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
