Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Jan 2024 21:10:22 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 276248] race of IPv6 address removal with nd6_timer(), panic in in6_unlinkin6_unlink_ifa
Message-ID:  <bug-276248-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276248

            Bug ID: 276248
           Summary: race of IPv6 address removal with nd6_timer(), panic
                    in in6_unlinkin6_unlink_ifa
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: net@FreeBSD.org
          Reporter: glebius@FreeBSD.org

nd6_timer() uses network epoch to go through list of IPv6 address:

        CK_STAILQ_FOREACH_SAFE(ia6, &V_in6_ifaddrhead, ia_link, nia6) {

Note that epoch(9) introduction to the kernel this list traversal didn't
use any locking, hence comment XXXRW: in6_ifaddrhead locking.

The epoch locking guarantees safe memory access, but doesn't prevent
from addresses being removed.  Then nd6_timer() may call in6_purgeaddr()
which will try to remove address that already could had been removed,
e.g. by in6_control().  This race manifests in panic:

#17 0xffffffff80c33c58 in trap_check (frame=3D0xfffffe000effdb70) at
/usr/src/FreeBSD/sys/amd64/amd64/trap.c:662
#19 0xffffffff8097e623 in in6_unlink_ifa (ia=3D0xfffff80002520900,
ifp=3D0xfffff8004d72d000) at /usr/src/FreeBSD/sys/netinet6/in6.c:1445
#20 0xffffffff8097ee0b in in6_purgeaddr (ifa=3D0xfffff80002520900) at
/usr/src/FreeBSD/sys/netinet6/in6.c:1405
#21 0xffffffff809ad781 in nd6_timer (arg=3D0xfffff8015064dc00) at
/usr/src/FreeBSD/sys/netinet6/nd6.c:961
#22 0xffffffff80673536 in softclock_call_cc (c=3D0xfffffe00b98be828,
cc=3D0xffffffff816800c0, direct=3D0)
    at /usr/src/FreeBSD/sys/kern/kern_timeout.c:717
#23 0xffffffff80675e46 in softclock_thread (arg=3D0xffffffff816800c0) at
/usr/src/FreeBSD/sys/kern/kern_timeout.c:856

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-276248-7501>