Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 09 Jul 2012 09:01:23 +0300
From:      Mikolaj Golub <trociny@freebsd.org>
To:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        d@delphij.net, FreeBSD virtualization mailing list <freebsd-virtualization@FreeBSD.org>
Subject:   Re: GPF when doing jail -r, possibly an use-after-free
Message-ID:  <86liit8ocs.fsf@in138.ua3>
In-Reply-To: <50CFED43-7789-4F27-9EC7-85268B7F23D4@lists.zabbadoz.net> (Bjoern A. Zeeb's message of "Sun, 8 Jul 2012 20:52:55 %2B0000")
References:  <4FF32FC4.6020701@delphij.net> <86wr2kau38.fsf@in138.ua3> <4FF5E87C.2020908@delphij.net> <86r4sqasrt.fsf@kopusha.home.net> <672D93D3-D4B1-432E-AE53-98E6C05B8BE4@lists.zabbadoz.net> <86zk7da10y.fsf@in138.ua3> <E909B0C0-F4DE-4110-B151-98FAC9330B82@lists.zabbadoz.net> <86obnqq94x.fsf@kopusha.home.net> <50CFED43-7789-4F27-9EC7-85268B7F23D4@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Sun, 8 Jul 2012 20:52:55 +0000 Bjoern A. Zeeb wrote:

 BAZ> Situation 1)

 BAZ>         epairNa is in base, eiparNb is jail foo
 BAZ>         stop jail foo: jail -r foo
 BAZ>         both epairN[ab] will live in base and can be destiryed without vnet switching

 BAZ> Situation 2)

 BAZ>         epairNa is in base, eiparNb is jail foo
 BAZ>         you are in jail foo and type epairNb destroy;  that should not be allowed

 BAZ> Situation 3)

 BAZ>         epairNa is in base, eiparNb is jail foo
 BAZ>         you are in base and type ifconfig epairNa destroy

 BAZ>         This is your case ...  I am not sure what I'd expect in this case,
 BAZ>         especailly given epair is special...  You probably are right.
 BAZ>         Ideally I'd not allow it to be destroyed unless both are in the
 BAZ>         if_home_vnet.  However it seems we allow this; so in that case
 BAZ>         I definitively make sure to use the CURVNET_SET_QUIET() version
 BAZ>         to avoid the expected noise otherwise.

It looks like epair was expected to allow this, because in non-patched version
it already did switching before freeing the interface. It just did not switch
bere detaching.

CURVNET_SET_QUIET() is used in the current version of the patch so I suppose I
can commit it.

But if you think that just not allowing to destroy unless both ends are in the
f_home_vnet is a preferred solution and it is not late to change this I can
provide the patch.

 BAZ> The moment cloners will handle this it'll all be centrally managed
 BAZ> and individual device drivers shouldn't need to worry about it anymore.

-- 
Mikolaj Golub

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86liit8ocs.fsf>