From 649224baee8a591915dcae7162ee9dd50e44a159 Mon Sep 17 00:00:00 2001 From: mvs Date: Mon, 1 Feb 2021 07:46:55 +0000 Subject: [PATCH] Netlock should be grabbed before pppx_if_find() call in pppxwrite(). Otherwise this `pxi' can be killed by concurrent thread after context switch caused by following netlock. ok yasuoka@ --- sys/net/if_pppx.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/sys/net/if_pppx.c b/sys/net/if_pppx.c index 75be8ff7810..4280558d5e6 100644 --- a/sys/net/if_pppx.c +++ b/sys/net/if_pppx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pppx.c,v 1.107 2021/02/01 07:44:58 mvs Exp $ */ +/* $OpenBSD: if_pppx.c,v 1.108 2021/02/01 07:46:55 mvs Exp $ */ /* * Copyright (c) 2010 Claudio Jeker @@ -371,8 +371,12 @@ pppxwrite(dev_t dev, struct uio *uio, int ioflag) /* Find the interface */ th = mtod(top, struct pppx_hdr *); m_adj(top, sizeof(struct pppx_hdr)); + + NET_LOCK(); + pxi = pppx_if_find(pxd, th->pppx_id, th->pppx_proto); if (pxi == NULL) { + NET_UNLOCK(); m_freem(top); return (EINVAL); } @@ -386,8 +390,6 @@ pppxwrite(dev_t dev, struct uio *uio, int ioflag) proto = ntohl(*(uint32_t *)(th + 1)); m_adj(top, sizeof(uint32_t)); - NET_LOCK(); - switch (proto) { case AF_INET: ipv4_input(&pxi->pxi_if, top); -- 2.20.1