From dff4ea292c7a48641ee96f58a7cfe8807733f5ed Mon Sep 17 00:00:00 2001 From: bms Date: Sat, 14 Apr 2007 01:01:46 +0000 Subject: In member interface detach event handler, do not attempt to free state which has already been freed by in_ifdetach(). With this cumulative change, the removal of a member interface will not cause a panic in pfsync(4). Requested by: yar PR: 86848 --- sys/contrib/pf/net/if_pfsync.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'sys/contrib') diff --git a/sys/contrib/pf/net/if_pfsync.c b/sys/contrib/pf/net/if_pfsync.c index fa35ad6..0f5c344 100644 --- a/sys/contrib/pf/net/if_pfsync.c +++ b/sys/contrib/pf/net/if_pfsync.c @@ -1905,7 +1905,15 @@ pfsync_ifdetach(void *arg, struct ifnet *ifp) } imo = &sc->sc_imo; if (imo->imo_num_memberships > 0) { - in_delmulti(imo->imo_membership[--imo->imo_num_memberships]); + KASSERT(imo->imo_num_memberships == 1, + ("%s: imo_num_memberships != 1", __func__)); + /* + * Our event handler is always called after protocol + * domains have been detached from the underlying ifnet. + * Do not call in_delmulti(); we held a single reference + * which the protocol domain has purged in in_purgemaddrs(). + */ + imo->imo_membership[--imo->imo_num_memberships] = NULL; imo->imo_multicast_ifp = NULL; } -- cgit v1.1