git: f5a365e51fee - main - inet6: protect address manipulation with a lock
Date: Thu, 30 Mar 2023 08:47:01 UTC
The branch main has been updated by mjg: URL: https://cgit.FreeBSD.org/src/commit/?id=f5a365e51feea75d1e5ebc86c53808d8cae7b6d7 commit f5a365e51feea75d1e5ebc86c53808d8cae7b6d7 Author: Mateusz Guzik <mjg@FreeBSD.org> AuthorDate: 2023-03-29 12:46:41 +0000 Commit: Mateusz Guzik <mjg@FreeBSD.org> CommitDate: 2023-03-30 08:46:38 +0000 inet6: protect address manipulation with a lock This is a total hack/bare minimum which follows inet4. Otherwise 2 threads removing the same address can easily crash. Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D39317 --- sys/netinet6/in6.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c index 27dc3550177c..3d967e9a40c7 100644 --- a/sys/netinet6/in6.c +++ b/sys/netinet6/in6.c @@ -168,6 +168,9 @@ static void in6_leave_proxy_ndp_mc(struct ifnet *, const struct in6_addr *); #define ifa2ia6(ifa) ((struct in6_ifaddr *)(ifa)) #define ia62ifa(ia6) (&((ia6)->ia_ifa)) +static struct sx in6_control_sx; +SX_SYSINIT(in6_control_sx, &in6_control_sx, "in6_control"); + void in6_newaddrmsg(struct in6_ifaddr *ia, int cmd) { @@ -254,6 +257,7 @@ in6_control(struct socket *so, u_long cmd, void *data, struct in6_aliasreq *ifra = (struct in6_aliasreq *)data; struct sockaddr_in6 *sa6; int error; + bool control_locked = false; /* * Compat to make pre-10.x ifconfig(8) operable. @@ -411,6 +415,8 @@ in6_control(struct socket *so, u_long cmd, void *data, if (td != NULL && (error = prison_check_ip6(td->td_ucred, &sa6->sin6_addr)) != 0) return (error); + sx_xlock(&in6_control_sx); + control_locked = true; ia = in6ifa_ifpwithaddr(ifp, &sa6->sin6_addr); } else ia = NULL; @@ -582,6 +588,9 @@ in6_control(struct socket *so, u_long cmd, void *data, error = 0; out: + if (control_locked) + sx_xunlock(&in6_control_sx); + if (ia != NULL) ifa_free(&ia->ia_ifa); return (error);