git: f3546eacf0da - main - if_bridge: fix potential panic
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 19 May 2023 13:42:45 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=f3546eacf0daac55fe08b6ad5849b0e440f75ffb commit f3546eacf0daac55fe08b6ad5849b0e440f75ffb Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2023-05-18 18:04:45 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-05-19 13:26:52 +0000 if_bridge: fix potential panic When a new bridge_rtnode is added it is added with a NULL brt_dst. The brt_dst is set after the entry is added. This means there's a small window where another core could also attempt to add this node, leading to the code attempting to log that the MAC addresses moved to a new interface. Aside from that being a spurious log entry it also panics, because obif is NULL (and we attempt to dereference it). Avoid this by settings brt_dst before we insert the bridge_rtnode. Assert that obif is non-NULL, as an extra precaution. Reported by: olivier@ Reviewed by: zlei@ Differential Revision: https://reviews.freebsd.org/D40147 --- sys/net/if_bridge.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index d78c647df0b4..9fe915d31283 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -2940,12 +2940,12 @@ bridge_rtupdate(struct bridge_softc *sc, const uint8_t *dst, uint16_t vlan, memcpy(brt->brt_addr, dst, ETHER_ADDR_LEN); brt->brt_vlan = vlan; + brt->brt_dst = bif; if ((error = bridge_rtnode_insert(sc, brt)) != 0) { uma_zfree(V_bridge_rtnode_zone, brt); BRIDGE_RT_UNLOCK(sc); return (error); } - brt->brt_dst = bif; bif->bif_addrcnt++; BRIDGE_RT_UNLOCK(sc); @@ -2953,6 +2953,8 @@ bridge_rtupdate(struct bridge_softc *sc, const uint8_t *dst, uint16_t vlan, if ((brt->brt_flags & IFBAF_TYPEMASK) == IFBAF_DYNAMIC && (obif = brt->brt_dst) != bif) { + MPASS(obif != NULL); + BRIDGE_RT_LOCK(sc); brt->brt_dst->bif_addrcnt--; brt->brt_dst = bif;