From f544a74870f527aa2e07777ccbad2aec77196239 Mon Sep 17 00:00:00 2001 From: Alan Somers Date: Fri, 2 May 2014 16:24:09 +0000 Subject: [PATCH] Fix a panic caused by doing "ifconfig -am" while a lagg is being destroyed. The thread that is destroying the lagg has already set sc->sc_psc=NULL when the "ifconfig -am" thread gets to lacp_req(). It tries to dereference sc->sc_psc and panics. The solution is for lacp_req() to check the value of sc->sc_psc. If NULL, harmlessly return an lacp_opreq structure full of zeros. Full details in GNATS. PR: kern/189003 Reviewed by: timeout on freebsd-net@ MFC after: 3 weeks Sponsored by: Spectra Logic Corporation --- sys/net/ieee8023ad_lacp.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/sys/net/ieee8023ad_lacp.c b/sys/net/ieee8023ad_lacp.c index b023c6caa119..aa38efabd50d 100644 --- a/sys/net/ieee8023ad_lacp.c +++ b/sys/net/ieee8023ad_lacp.c @@ -590,10 +590,20 @@ lacp_req(struct lagg_softc *sc, caddr_t data) { struct lacp_opreq *req = (struct lacp_opreq *)data; struct lacp_softc *lsc = LACP_SOFTC(sc); - struct lacp_aggregator *la = lsc->lsc_active_aggregator; + struct lacp_aggregator *la; - LACP_LOCK(lsc); bzero(req, sizeof(struct lacp_opreq)); + + /* + * If the LACP softc is NULL, return with the opreq structure full of + * zeros. It is normal for the softc to be NULL while the lagg is + * being destroyed. + */ + if (NULL == lsc) + return; + + la = lsc->lsc_active_aggregator; + LACP_LOCK(lsc); if (la != NULL) { req->actor_prio = ntohs(la->la_actor.lip_systemid.lsi_prio); memcpy(&req->actor_mac, &la->la_actor.lip_systemid.lsi_mac,