From 8239c4ae24fa2950a54f273e949c0ef373ebf450 Mon Sep 17 00:00:00 2001 From: asomers Date: Thu, 2 Feb 2017 23:04:01 +0000 Subject: [PATCH] MFC r310180, r310327 r310180: Fix panic during lagg destruction with simultaneous status check If you run "ifconfig lagg0 destroy" and "ifconfig lagg0" at the same time a page fault may result. The first process will destroy ifp->if_lagg in lagg_clone_destroy (called by if_clone_destroy). Then the second process will observe that ifp->if_lagg is NULL at the top of lagg_port_ioctl and goto fallback: where it will promptly dereference ifp->if_lagg anyway. The solution is to repeat the NULL check for ifp->if_lagg MFC after: 4 weeks Sponsored by: Spectra Logic Corp Differential Revision: https://reviews.freebsd.org/D8512 r310327: Remove stray debugging code from r310180 Reported by: rstone Pointy hat to: asomers MFC after: 3 weeks X-MFC-with: 310180 Sponsored by: Spectra Logic Corp git-svn-id: svn://svn.freebsd.org/base/stable/10@313112 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sys/net/if_lagg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/net/if_lagg.c b/sys/net/if_lagg.c index 87f358efb..a892f8bd1 100644 --- a/sys/net/if_lagg.c +++ b/sys/net/if_lagg.c @@ -858,7 +858,7 @@ lagg_port_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) return (error); fallback: - if (lp->lp_ioctl != NULL) + if (lp != NULL && lp->lp_ioctl != NULL) return ((*lp->lp_ioctl)(ifp, cmd, data)); return (EINVAL); -- 2.45.0