From nobody Sun Dec 14 19:13:05 2025
X-Original-To: net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dTtBT6ksRz6KhmQ
	for <net@mlmmj.nyi.freebsd.org>; Sun, 14 Dec 2025 19:13:05 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dTtBT5yXnz4PwR
	for <net@FreeBSD.org>; Sun, 14 Dec 2025 19:13:05 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1765739585;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=vVvz/3S18LyCijVjsepMcaILraswDC2m88MULTRv3II=;
	b=xSbVOrrR5iwAFN4W0u0MfYxBpVr8lyt9WM8bQ1opkh6Wxc43u2eBMlRPp5UIxX/Vl8onhc
	PLS8r+LZGJBgX6EjHgG7ze3cdUKJvTu7fcPycpVEXDLhs6BJLRXlXKKtQtZmEyA998/nE6
	JyZcakmBx0MT9xc9a0h8WkIsyUKNvBtjRt4WqyTLGC3PnoDucvpJ6h9QJxe4hNZge2HSsu
	Vh5eX+SH18KKKvcMmTM1cG8PCKkJ1q+2TJFQhLBu2eC40yBeB1hqK/+nJfi6aOC1/iQGsM
	A/cxlis5U6AtVtwGMECyNWSO7SnKvZh0kQywlGA4lHxu8dNklu3MTU4x2inKZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1765739585;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=vVvz/3S18LyCijVjsepMcaILraswDC2m88MULTRv3II=;
	b=hE05fV8P16ktatZHWMlvzmxqUZEymA/jJDuBE5UU/P6ScWMI16Ti8Mr5IQwuHkmD33PzCq
	P8tiNXnkbZc1Eidzh7vTOubpE+1sRrP0RV7V8P1Trd2Z9lKmlCt6AnzJ4tEf0nZt9RbWEG
	ByS21aZ1HBidxt/z/afRHTOivgwnNR9UjQ+ETob+hYkK8bbKNSEaA348Rz982dwmm1YQ4n
	YD5JhXmodXn+gXxzvIT5NHEYAzXrkHfMUlix4/MxeDt+6HYQSaBSNO4+UxlH16erftsb4I
	qn/Xe4Sw6Qw0w1UgDSTE/Rqc+iw3jzS8mUy334gC3ERptSYpLqGb5aepUYgvig==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765739585; a=rsa-sha256; cv=none;
	b=wf763uVIxIlIkG/E2SXW2HKz/cM7W53RVwYDtH9CYECb06eDg2SqWzHOwGxCWLjnf6g6yc
	vKU0M1V2Wc2aytM5DUnAKSrSsnt6Oa+SZNpSiAlyKu/iijBUpQ6wnYI5pVUzuIcsd3ngqR
	RIUtndybNr2UDZF1eLqiPAFbj89vl8wQP9RH4WT8pgtQpBYkhSXrLilE4mJfCUOjpzjSXg
	3VPwHDDKmd7dquBrRyniHNDUpfKkPKpoh8qnaVA3nIpms2Yfab7Vp8tjrxYSLm/rp5IIZH
	G96MWQjc2qRP4QJFuDrm0AkXnSmchCCeMWGdOD0Q4lU/2sgAdUttQbmEQDEHsA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4dTtBT5BBrzmB7
	for <net@FreeBSD.org>; Sun, 14 Dec 2025 19:13:05 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 5BEJD53d050078
	for <net@FreeBSD.org>; Sun, 14 Dec 2025 19:13:05 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 5BEJD5ok050077
	for net@FreeBSD.org; Sun, 14 Dec 2025 19:13:05 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: net@FreeBSD.org
Subject: [Bug 289017] [lagg] A time-of-check to time-of-use (TOCTOU) race
 exists in the Link Aggregation (LAGG) network subsystem
Date: Sun, 14 Dec 2025 19:13:05 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 14.3-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: hanguidong02@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: net@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-289017-7501-sLd9PpabEB@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-289017-7501@https.bugs.freebsd.org/bugzilla/>
References: <bug-289017-7501@https.bugs.freebsd.org/bugzilla/>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D289017

Gui-Dong Han <hanguidong02@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hanguidong02@gmail.com

--- Comment #3 from Gui-Dong Han <hanguidong02@gmail.com> ---
(In reply to Zhenlei Huang from comment #1)

Update: I have successfully reproduced the race condition on a completely
unmodified GENERIC kernel. By maximizing the race window through
high-concurrency packet spraying and continuous protocol switching, I can
reliably trigger the panic within seconds. Please find the reproduction scr=
ipts
and the corresponding crash log below.

Crash log:
Fatal trap 12: page fault while in kernel mode
cpuid =3D 0; apic id =3D 00
fault virtual address=C2=A0 =C2=A0=3D 0x0
fault code=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D supervisor r=
ead instruction, page not present
instruction pointer=C2=A0 =C2=A0 =C2=A0=3D 0x20:0x0
stack pointer=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D 0x28:0xfffffe0068=
f55948
frame pointer=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D 0x28:0xfffffe0068=
f55970
code segment=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D base 0x0, limit 0=
xfffff, type 0x1b
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =3D DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags=C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D interrupt enabled, IOPL =3D=
 0
current process=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D 1040 (poc)
rdi: fffff80004444200 rsi: fffff80004f5d900 rdx: 9c58554433221100
rcx: fffffe0068f55ac0=C2=A0 r8: 0008a2ff10fc9c58=C2=A0 r9: fffff80004f5d960
rax: 0000000000000000 rbx: fffff800036fc000 rbp: fffffe0068f55970
r10: 0000000000000090 r11: fffff80004f74000 r12: 000000000000000e
r13: 0000000000000008 r14: fffffe0068f55ac0 r15: fffff800036fc000
trap number=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D 12
panic: page fault
cpuid =3D 0
time =3D 1765738480
KDB: stack backtrace:
#0 0xffffffff80ba8f1d at kdb_backtrace+0x5d
#1 0xffffffff80b5aa11 at vpanic+0x161
#2 0xffffffff80b5a8a3 at panic+0x43
#3 0xffffffff8104dbfa at trap_pfault+0x3da
#4 0xffffffff81023dd8 at calltrap+0x8
#5 0xffffffff80c85a50 at ether_output+0x6b0
#6 0xffffffff80d21998 at ip_output+0x13a8
#7 0xffffffff80d52c40 at udp_send+0xb60
#8 0xffffffff80c0145c at sosend_dgram+0x31c
#9 0xffffffff80c0242f at sousrsend+0x5f
#10 0xffffffff80c0aec0 at kern_sendit+0x1c0
#11 0xffffffff80c0b1f2 at sendit+0x1b2
#12 0xffffffff80c0b02d at sys_sendto+0x4d
#13 0xffffffff8104e547 at amd64_syscall+0x117
#14 0xffffffff810246eb at fast_syscall_common+0xf8

--=20
You are receiving this mail because:
You are the assignee for the bug.=