svn commit: r366167 - head/sys/netgraph

[Mark Johnston]

Author: markj
Date: Fri Sep 25 18:55:50 2020
New Revision: 366167
URL: https://svnweb.freebsd.org/changeset/base/366167

Log:
  ng_l2tp: Fix callout synchronization in the rexmit timeout handler
  
  A received control packet may cause the transmit queue to be flushed, in
  which case ng_l2tp_seq_recv_nr() cancels the transmit timeout handler.
  The handler checks to see if it was cancelled before doing anything, but
  did so before acquiring the node lock, so a small race window could
  cause ng_l2tp_seq_rack_timeout() to attempt to flush an empty queue,
  ultimately causing a null pointer dereference.
  
  PR:		241133
  Reviewed by:	bz, glebius, Lutz Donnerhacke
  MFC after:	3 days
  Sponsored by:	Rubicon Communications, LLC (Netgate)
  Differential Revision:	https://reviews.freebsd.org/D26548

Modified:
  head/sys/netgraph/ng_l2tp.c

Modified: head/sys/netgraph/ng_l2tp.c
==============================================================================
--- head/sys/netgraph/ng_l2tp.c	Fri Sep 25 18:21:50 2020	(r366166)
+++ head/sys/netgraph/ng_l2tp.c	Fri Sep 25 18:55:50 2020	(r366167)
@@ -1453,15 +1453,17 @@ ng_l2tp_seq_rack_timeout(node_p node, hook_p hook, voi
 	struct mbuf *m;
 	u_int delay;
 
-	/* Make sure callout is still active before doing anything */
-	if (callout_pending(&seq->rack_timer) ||
-	    (!callout_active(&seq->rack_timer)))
-		return;
-
 	/* Sanity check */
 	L2TP_SEQ_CHECK(seq);
 
 	mtx_lock(&seq->mtx);
+	/* Make sure callout is still active before doing anything */
+	if (callout_pending(&seq->rack_timer) ||
+	    !callout_active(&seq->rack_timer)) {
+		mtx_unlock(&seq->mtx);
+		return;
+	}
+
 	priv->stats.xmitRetransmits++;
 
 	/* Have we reached the retransmit limit? If so, notify owner. */