Date: Mon, 29 Apr 2002 10:21:54 -0700 (PDT) From: Mike Hibler <mike@cs.utah.edu> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/37573: kernel crashes when changing dummynet pipe characteristics Message-ID: <200204291721.g3THLsN36037@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 37573
>Category: kern
>Synopsis: kernel crashes when changing dummynet pipe characteristics
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 29 10:30:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Mike Hibler
>Release: 4.3, 4.5, current
>Organization:
University of Utah
>Environment:
>Description:
There is an obvious race in netinet/ip_dummynet.c:config_pipe().
Interrupts are not blocked when changing the params of an existing
pipe. The specific crash observed:
... -> config_pipe -> set_fs_parms -> config_red
malloc a new w_q_lookup table but take an interrupt before
intializing it, interrupt handler does:
... -> dummynet_io -> red_drops
red_drops dereferences the uninitialized (zeroed) w_q_lookup table
>How-To-Repeat:
Change the characteristics of an active pipe frequently.
>Fix:
In ip_dummynet.c:config_pipe(), in the not-a-new-pipe case, splimp() protect pipe/queue manipulations (primarily the call to set_fs_parms).
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204291721.g3THLsN36037>