mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-11 14:10:34 +00:00
21b415b212
Specifically, if two threads were doing concurrent lookups and the existing gateway was marked down, the the first thread would drop a reference on the gateway route and then unlock the "root" route while it tried to allocate a new route. The second thread could then also drop a reference on the same gateway route resulting in a reference underflow. Fix this by clearing the gateway route pointer after dropping the reference count but before dropping the lock. Secondly, in this same case, the second thread would overwrite the gateway route pointer w/o free'ing a reference to the route installed by the first thread. In practice this would probably just fix a lost reference that would result in a route never being freed. This fixes panics observed in rt_check() and rtexpunge(). MFC after: 1 week PR: kern/112490 Insight from: mehuljv at yahoo.com Reviewed by: ru (found the "not-setting it to NULL" part) Tested by: several |
||
|---|---|---|
| .. | ||
| dest6.c | ||
| frag6.c | ||
| icmp6.c | ||
| icmp6.h | ||
| in6_cksum.c | ||
| in6_gif.c | ||
| in6_gif.h | ||
| in6_ifattach.c | ||
| in6_ifattach.h | ||
| in6_pcb.c | ||
| in6_pcb.h | ||
| in6_proto.c | ||
| in6_rmx.c | ||
| in6_src.c | ||
| in6_var.h | ||
| in6.c | ||
| in6.h | ||
| ip6_ecn.h | ||
| ip6_forward.c | ||
| ip6_id.c | ||
| ip6_input.c | ||
| ip6_ipsec.c | ||
| ip6_ipsec.h | ||
| ip6_mroute.c | ||
| ip6_mroute.h | ||
| ip6_output.c | ||
| ip6_var.h | ||
| ip6.h | ||
| ip6protosw.h | ||
| mld6_var.h | ||
| mld6.c | ||
| nd6_nbr.c | ||
| nd6_rtr.c | ||
| nd6.c | ||
| nd6.h | ||
| pim6_var.h | ||
| pim6.h | ||
| raw_ip6.c | ||
| raw_ip6.h | ||
| route6.c | ||
| scope6_var.h | ||
| scope6.c | ||
| sctp6_usrreq.c | ||
| sctp6_var.h | ||
| tcp6_var.h | ||
| udp6_usrreq.c | ||
| udp6_var.h | ||