Date: Thu, 24 Jan 2019 23:14:09 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 235097] ci runs panic with use-after-free when running sys/netpfil/pf/nat tests Message-ID: <bug-235097-7501-troecpDG3U@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-235097-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-235097-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D235097 --- Comment #12 from Kristof Provost <kp@freebsd.org> --- The following appears to fix the panic in comment #6: diff --git a/sys/net/if.c b/sys/net/if.c index a6552f80f37..7e3e662d342 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -1194,6 +1195,11 @@ if_detach_internal(struct ifnet *ifp, int vmove, str= uct if_clone **ifcp) if (!CK_STAILQ_EMPTY(&ifp->if_addrhead)) { ifa =3D CK_STAILQ_FIRST(&ifp->if_addrhead); CK_STAILQ_REMOVE(&ifp->if_addrhead, ifa, ifaddr, ifa_link); + //KASSERT(ifa !=3D ifp->if_addr, ("")); + if (ifa =3D=3D ifp->if_addr) { + ifp->if_addr =3D NULL; + printf("KP: set ifp->if_addr to NULL\n"); + } IF_ADDR_WUNLOCK(ifp); ifa_free(ifa); } else We free the ifaddr, but we can still have a pointer to it in ifp->if_addr. = This check triggers, and in several test runs with this patch I've not managed to reproduce the panic any more. I'm doing more runs, because this problem com= es and goes, but I hope this will be a useful pointer to someone who knows that code better than me. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235097-7501-troecpDG3U>