Date: Mon, 26 May 2014 11:38:37 +0200 From: Steve Read <steve.read@netasq.com> To: "Bjoern A. Zeeb" <bz@FreeBSD.org> Cc: freebsd-net@freebsd.org Subject: Re: Problem: no locking around IPv6 prefix structures in prelist_remove Message-ID: <53830B9D.40509@netasq.com> In-Reply-To: <232CE242-ECDD-4627-AE44-8265B9CC4690@FreeBSD.org> References: <53830546.1080309@netasq.com> <232CE242-ECDD-4627-AE44-8265B9CC4690@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
OK, thanks. -- Steve Read On 26.05.2014 11:24, Bjoern A. Zeeb wrote: > On 26 May 2014, at 09:11 , Steve Read <steve.read@netasq.com> wrote: > >> I have recently encountered an interesting double-free crash in prelist_remove() (management of IPv6 prefixes used by interface addresses) using a modified version of 9.2. We've seen this once. >> >> It appears that two userland threads tried simultaneously to remove the last interface address that referenced a particular prefix, and both, therefore, tried to remove it from the global list of prefixes. (Feel free to correct my interpretation of the purpose of prelist_remove and how it is invoked.) One of them succeeded, and the other was left holding a chunk of free()ed memory, and crashed when trying to delete it. >> >> I looked at the code surrounding this function, and I can find no sign of locking around the prefix list or, indeed, anywhere in the call-stack (sys_ioctl=>kern_ioctl=>soo_ioctl==>ifi_ioctl=>in6_control=>prelist_remove). I looked in HEAD, and this part of the code appears to be more or less the same, in particular the question of locking. >> >> Should I submit a PR (no, we can't retry with a generic kernel)? > No need to for either. > > markj@ has a patch to fix a good deal of racy prefix list locking which needs review and testing. > > — > Bjoern A. Zeeb "Come on. Learn, goddamn it.", WarGames, 1983 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53830B9D.40509>