Bug 232193

Summary: in6_pcblookup_hash_locked() needs locking and inp validation possibly
Product: Base System Reporter: Bjoern A. Zeeb <bz>
Component: kernAssignee: Bjoern A. Zeeb <bz>
Status: Open ---    
Severity: Affects Only Me CC: bz, dch
Priority: --- Keywords: ipv6
Version: CURRENT   
Hardware: Any   
OS: Any   
Bug Depends on:    
Bug Blocks: 232348    

Description Bjoern A. Zeeb freebsd_committer freebsd_triage 2018-10-12 00:14:12 UTC 
When in6_pcblookup_hash_locked() is called from in6_pcblookup_hash() only the epoch() seems to protect it;  that means we might be able to get an inp out of the list which is marked FREED and we need to skip it;

the according places are already marked with "XXX locking" (which I seem to have put there a long time ago);  see what happened in IPv4 land for that as well, when touching this..
Comment 1 Bjoern A. Zeeb freebsd_committer freebsd_triage 2018-10-12 00:17:31 UTC 
The checks in in6_pcblookup_hash() are actually a function bug as well it seems and need to moved inside the _locked() variant;   the only other caller seems to be protect the call by a WLOCK so should be fine for that.


Crosscheck with IPv4.
Comment 2 Bjoern A. Zeeb freebsd_committer freebsd_triage 2018-10-17 00:04:23 UTC 
https://reviews.freebsd.org/D17593