From owner-freebsd-virtualization@FreeBSD.ORG Tue Jul 3 17:45:41 2012 Return-Path: Delivered-To: freebsd-virtualization@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 158B51065670 for ; Tue, 3 Jul 2012 17:45:41 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id F11228FC19 for ; Tue, 3 Jul 2012 17:45:40 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id D03981B27B; Tue, 3 Jul 2012 10:45:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1341337540; bh=Ugbov3lCVodmFDlsNp+LT6uxgIGkTPdVDFriJhelErA=; h=Date:From:Reply-To:To:CC:Subject; b=Q5zcVddTeH1Pwo5t1rDv3wAHzsOzV0SPGkht0GbePpIm356g0ArQ1lTPHhsUUltOI 2FO+u/AIZbp/L0whO01noPM3+mDCgTzbPQcma3CpQYX/YAd1E24ETJEgsE+pS/S9hJ 1gTi3+hjCw0i0ALsZDoUUFuaUoi79rj+RWg8+sjg= Message-ID: <4FF32FC4.6020701@delphij.net> Date: Tue, 03 Jul 2012 10:45:40 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: freebsd-virtualization@FreeBSD.org X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: d@delphij.net Subject: GPF when doing jail -r, possibly an use-after-free X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2012 17:45:41 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I've talked with bz@ briefly about this and we think it's better to put this to a mailing list. Here is what I have seen on 8.2-RELEASE (with a few local patches). When doing "jail -r ", after a while, a GPF happens here, in sys/net/vnet.c: /* * Destroy a virtual network stack. */ void vnet_destroy(struct vnet *vnet) { struct ifnet *ifp, *nifp; [...] /* Return all inherited interfaces to their parent vnets. */ TAILQ_FOREACH_SAFE(ifp, &V_ifnet, if_link, nifp) { - ---> if (ifp->if_home_vnet != ifp->if_vnet) if_vmove(ifp, ifp->if_home_vnet); } Where I saw %esi and %edi as "0xdeadc0de", so my understanding is that there is an use-after-free somewhere. I'm still trying to track this bug down. In this configuration we used bridge and epair to communicate with the jail. Teardown of the bridge would bring the underlying interface down and up, not sure if that's related though. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iQEcBAEBCAAGBQJP8y/EAAoJEG80Jeu8UPuzsEkIAMIzkMu2r4YIJEg7eu24JUP1 LFDMLnDtzGz9N2OnMQbB8x5PwR+hOlWPqJkHwgj3Fh6x+uYVMxchcXCA+79htLdQ dv8zWRtqmYTFFk6KpB4DvdeAtN9TFjtqLpVOiC9Umu/sMj4iXVd/At6+VVbhGIJA Uzig4q1Skgt5PhfTDJQ+qqlOu4lQH+/U5+CC2fZbp8jGM3QY8UWPkAct6XiNJnEH WmTsgwli8PPZcqp+hPR10Ca69JMZ2czC7U8KqM4tP2SY35Msw55GdlkI54rVkBy4 2AxQfr//NCilxdo1vDTLRQbWD9hUdSUiom0HJIEIHuwIsKzRz1CHSqlZ0KgR9ss= =MRPu -----END PGP SIGNATURE-----