Date: Wed, 24 Jan 2018 23:21:38 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 225438] panic in6_unlink_ifa() due to race Message-ID: <bug-225438-8-lpIr7C3EQY@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-225438-8@https.bugs.freebsd.org/bugzilla/> References: <bug-225438-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D225438 --- Comment #1 from Dave Baukus <daveb@spectralogic.com> --- Patching in6_unlink_ifa() with something like below only pushes the the cra= sh to a double free in in6_leavegroup(): #11 0xffffffff804bf103 in panic (fmt=3D<value optimized out>)=20 #12 0xffffffff8073765e in uma_dbg_free (zone=3D0xfffff81b7ffce000, ...) #13 0xffffffff807370d4 in uma_zfree_arg (zone=3D0xfffff81b7ffce000, ...) #14 0xffffffff8049a91b in free (addr=3D0xfffff801eb278c20, mtp=3D0xffffffff80b5a980) #15 0xffffffff80684b6f in in6_leavegroup (imm=3D0xfffff801eb278c20)=20 #16 0xffffffff8067e83b in in6_purgeaddr (ifa=3D0xfffff8015b270600)=20 #17 0xffffffff8067c355 in in6_control () % diff -du in6.c.orig in6.c --- in6.c.orig 2018-01-24 16:15:52.742977158 -0700 +++ in6.c 2018-01-24 16:17:29.140814668 -0700 @@ -1288,8 +1288,16 @@ int remove_lle; IF_ADDR_WLOCK(ifp); - TAILQ_REMOVE(&ifp->if_addrhead, &ia->ia_ifa, ifa_link); + TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { + if (ifa->ifa_addr->sa_family =3D=3D AF_INET6 && + (struct in6_ifaddr *)ifa =3D=3D ia) { + TAILQ_REMOVE(&ifp->if_addrhead, &ia->ia_ifa, ifa_li= nk); + break; + } + } IF_ADDR_WUNLOCK(ifp); + if (ifa =3D=3D NULL) + return; ifa_free(&ia->ia_ifa); /* if_addrhead */ --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-225438-8-lpIr7C3EQY>