From d9fa2d67eb5f7634ed70ced089a873d1e0f301bd Mon Sep 17 00:00:00 2001 From: Alan Somers Date: Fri, 16 Dec 2016 22:39:30 +0000 Subject: [PATCH] Fix panic during lagg destruction with simultaneous status check If you run "ifconfig lagg0 destroy" and "ifconfig lagg0" at the same time a page fault may result. The first process will destroy ifp->if_lagg in lagg_clone_destroy (called by if_clone_destroy). Then the second process will observe that ifp->if_lagg is NULL at the top of lagg_port_ioctl and goto fallback: where it will promptly dereference ifp->if_lagg anyway. The solution is to repeat the NULL check for ifp->if_lagg MFC after: 4 weeks Sponsored by: Spectra Logic Corp Differential Revision: https://reviews.freebsd.org/D8512 --- sys/net/if_lagg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/net/if_lagg.c b/sys/net/if_lagg.c index 16f872aad2e..32ca1f9fb73 100644 --- a/sys/net/if_lagg.c +++ b/sys/net/if_lagg.c @@ -252,6 +252,7 @@ SYSCTL_INT(_net_link_lagg, OID_AUTO, default_flowid_shift, CTLFLAG_RWTUN, &VNET_NAME(def_flowid_shift), 0, "Default setting for flowid shift for load sharing"); +#pragma clang optimize off static void vnet_lagg_init(const void *unused __unused) { @@ -1022,7 +1023,7 @@ lagg_port_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) return (error); fallback: - if (lp->lp_ioctl != NULL) + if (lp != NULL && lp->lp_ioctl != NULL) return ((*lp->lp_ioctl)(ifp, cmd, data)); return (EINVAL);