Date: Thu, 26 Oct 2023 10:29:40 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Zhenlei Huang <zlei@FreeBSD.org> Cc: FreeBSD Net <freebsd-net@freebsd.org>, Alexander Chernikov <melifaro@freebsd.org> Subject: Re: fib6_lookup() returning deleted struct ifnet Message-ID: <2B21403B-A939-4484-B83B-85ECDC51D22A@FreeBSD.org> In-Reply-To: <3A4AA88F-E352-46DC-81DB-7408CD0A4D77@FreeBSD.org> References: <A5BC4385-AA39-4608-B1BA-0551AFBB49CD@FreeBSD.org> <3A4AA88F-E352-46DC-81DB-7408CD0A4D77@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26 Oct 2023, at 3:49, Zhenlei Huang wrote: >> On Oct 25, 2023, at 11:27 PM, Kristof Provost <kp@FreeBSD.org> wrote: >> The call in tcp_default_output() is in6_selecthlim(int, NULL);, so we = don=E2=80=99t get an ifp from the caller, but instead perform a route loo= kup, and try to obtain the hop limit through ND_IFINFO(nh->nh_ifp). This = panics because the afdata[AF_INET6] pointer is NULL. The core dump shows = a deleted structure ifnet: >> >> > > `egrep -r 'if_afdata\[AF_INET6\]\s*[!=3D]=3D\s*NULL' sys/netinet6'` sho= ws there're many places do the NULL check. I think we can do it in in6_se= lecthlim() as a workaround. > We could (either check for if_afdata[AF_INET], or for the absence of IFF_= DYING in if_flags), but that feels a lot like hiding the problem rather t= han fixing it. As you say, fib6_lookup() should not be returning invalid next hops, so i= t might make sense to add the check there, but I still want to understand= why we end up in this state in the first place. >> We=E2=80=99ve also gone through if_free(), as the ifindex_table no lon= ger contains the struct ifnet pointer for the relevant interface. >> We appear to have not yet called if_free_deferred() (and indeed, ifp->= if_refcount is 4, so we wouldn=E2=80=99t have called that yet). >> >> I=E2=80=99m confused as to how this can happen, and would appreciate h= ints. >> > > I believe Alexander has insight on this. > I=E2=80=99m certainly hoping smarter people than me will know more :) Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2B21403B-A939-4484-B83B-85ECDC51D22A>