From owner-svn-src-stable@freebsd.org Fri Dec 7 09:39:39 2018 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 107D513319E8; Fri, 7 Dec 2018 09:39:39 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AC5F28107F; Fri, 7 Dec 2018 09:39:38 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 73BE7114DB; Fri, 7 Dec 2018 09:39:38 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wB79dcpx060019; Fri, 7 Dec 2018 09:39:38 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wB79dcKM060018; Fri, 7 Dec 2018 09:39:38 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201812070939.wB79dcKM060018@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 7 Dec 2018 09:39:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r341678 - stable/11/sys/net X-SVN-Group: stable-11 X-SVN-Commit-Author: ae X-SVN-Commit-Paths: stable/11/sys/net X-SVN-Commit-Revision: 341678 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: AC5F28107F X-Spamd-Result: default: False [-2.03 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.989,0]; NEURAL_HAM_SHORT(-0.97)[-0.971,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-0.07)[-0.070,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Dec 2018 09:39:39 -0000 Author: ae Date: Fri Dec 7 09:39:37 2018 New Revision: 341678 URL: https://svnweb.freebsd.org/changeset/base/341678 Log: MFC r341008: Fix possible panic during ifnet detach in rtsock. The panic can happen, when some application does dump of routing table using sysctl interface. To prevent this, set IFF_DYING flag in if_detach_internal() function, when ifnet under lock is removed from the chain. In sysctl_rtsock() take IFNET_RLOCK_NOSLEEP() to prevent ifnet detach during routes enumeration. In case, if some interface was detached in the time before we take the lock, add the check, that ifnet is not DYING. This prevents access to memory that could be freed after ifnet is unlinked. Differential Revision: https://reviews.freebsd.org/D18338 Modified: stable/11/sys/net/if.c stable/11/sys/net/rtsock.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/net/if.c ============================================================================== --- stable/11/sys/net/if.c Fri Dec 7 09:38:25 2018 (r341677) +++ stable/11/sys/net/if.c Fri Dec 7 09:39:37 2018 (r341678) @@ -1031,6 +1031,8 @@ if_detach_internal(struct ifnet *ifp, int vmove, struc TAILQ_FOREACH(iter, &V_ifnet, if_link) if (iter == ifp) { TAILQ_REMOVE(&V_ifnet, ifp, if_link); + if (!vmove) + ifp->if_flags |= IFF_DYING; found = 1; break; } Modified: stable/11/sys/net/rtsock.c ============================================================================== --- stable/11/sys/net/rtsock.c Fri Dec 7 09:38:25 2018 (r341677) +++ stable/11/sys/net/rtsock.c Fri Dec 7 09:39:37 2018 (r341678) @@ -1548,6 +1548,8 @@ sysctl_dumpentry(struct radix_node *rn, void *vw) struct rt_addrinfo info; struct sockaddr_storage ss; + IFNET_RLOCK_NOSLEEP_ASSERT(); + if (w->w_op == NET_RT_FLAGS && !(rt->rt_flags & w->w_arg)) return 0; if ((rt->rt_flags & RTF_HOST) == 0 @@ -1560,7 +1562,7 @@ sysctl_dumpentry(struct radix_node *rn, void *vw) info.rti_info[RTAX_NETMASK] = rtsock_fix_netmask(rt_key(rt), rt_mask(rt), &ss); info.rti_info[RTAX_GENMASK] = 0; - if (rt->rt_ifp) { + if (rt->rt_ifp && !(rt->rt_ifp->if_flags & IFF_DYING)) { info.rti_info[RTAX_IFP] = rt->rt_ifp->if_addr->ifa_addr; info.rti_info[RTAX_IFA] = rt->rt_ifa->ifa_addr; if (rt->rt_ifp->if_flags & IFF_POINTOPOINT) @@ -1925,8 +1927,10 @@ sysctl_rtsock(SYSCTL_HANDLER_ARGS) rnh = rt_tables_get_rnh(fib, i); if (rnh != NULL) { RIB_RLOCK(rnh); + IFNET_RLOCK_NOSLEEP(); error = rnh->rnh_walktree(&rnh->head, sysctl_dumpentry, &w); + IFNET_RUNLOCK_NOSLEEP(); RIB_RUNLOCK(rnh); } else if (af != 0) error = EAFNOSUPPORT;