From owner-freebsd-virtualization@FreeBSD.ORG Wed Jul 4 07:01:04 2012 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B790C106566B for ; Wed, 4 Jul 2012 07:01:04 +0000 (UTC) (envelope-from to.my.trociny@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 43BAE8FC0A for ; Wed, 4 Jul 2012 07:01:04 +0000 (UTC) Received: by werp13 with SMTP id p13so3345835wer.13 for ; Wed, 04 Jul 2012 00:01:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:organization:references:sender:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=Uc1nm5wx1Z4ZRufn9/VoUqMh2DNJyweY204TLgmL+jY=; b=R3afQadB3oWFMdM2Wx3wCIzuhVOUX5gxH5jh0POTGTPIjX0hN69aXnqhp/jbQfl8uJ dYhHnyfmyMVnlgatfIYky3L4nV35xKgLb/CIpQjD8eb48nI9+ZXjpbIpfH21xdSrBkFZ hcKWFNXZWiQANSEW1H4e7QXYEmvCwu7CK1lwzBVV8Ph7WAp12gnoehJoH6eHKNS2uzD5 8fUf7aPjTXHqJZ3evUrhP7+IfZXtfap15/92HURc7WjxUx0DHPWYjwqDiSi+I4rMLnlr yMyczeqS00Epgret054uGFXDdHFDBEieCLRh1wbX/qnIl3c0iVP5LcMtXNIZ561vfkcG uJrg== Received: by 10.180.107.103 with SMTP id hb7mr31206620wib.3.1341385263202; Wed, 04 Jul 2012 00:01:03 -0700 (PDT) Received: from localhost ([188.230.122.226]) by mx.google.com with ESMTPS id e9sm23709086wiw.10.2012.07.04.00.01.01 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 04 Jul 2012 00:01:01 -0700 (PDT) From: Mikolaj Golub To: d@delphij.net Organization: TOA Ukraine References: <4FF32FC4.6020701@delphij.net> Sender: Mikolaj Golub Date: Wed, 04 Jul 2012 10:00:59 +0300 In-Reply-To: <4FF32FC4.6020701@delphij.net> (Xin Li's message of "Tue, 03 Jul 2012 10:45:40 -0700") Message-ID: <86wr2kau38.fsf@in138.ua3> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-virtualization@FreeBSD.org Subject: Re: GPF when doing jail -r, possibly an use-after-free X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2012 07:01:04 -0000 On Tue, 03 Jul 2012 10:45:40 -0700 Xin Li wrote: XL> Hi, XL> I've talked with bz@ briefly about this and we think it's better to XL> put this to a mailing list. XL> Here is what I have seen on 8.2-RELEASE (with a few local patches). XL> When doing "jail -r ", after a while, a GPF happens here, in XL> sys/net/vnet.c: XL> /* XL> * Destroy a virtual network stack. XL> */ XL> void XL> vnet_destroy(struct vnet *vnet) XL> { XL> struct ifnet *ifp, *nifp; XL> [...] XL> /* Return all inherited interfaces to their parent vnets. */ XL> TAILQ_FOREACH_SAFE(ifp, &V_ifnet, if_link, nifp) { XL> ---> if (ifp->if_home_vnet != ifp->if_vnet) XL> if_vmove(ifp, ifp->if_home_vnet); XL> } XL> Where I saw %esi and %edi as "0xdeadc0de", so my understanding is that XL> there is an use-after-free somewhere. I'm still trying to track this XL> bug down. XL> In this configuration we used bridge and epair to communicate with the XL> jail. Teardown of the bridge would bring the underlying interface XL> down and up, not sure if that's related though. Is this observed after destroying epair? There is an issue with epair: on destroy, when epair_clone_destroy() calls ether_ifdetach() for its second half it does not switch to its vnet and if_detach_internal() can't find the interface and just returns. As a result V_ifnet list is left with dead reference. http://lists.freebsd.org/pipermail/freebsd-virtualization/2011-January/000628.html Here is an updated patch against CURRENT: http://people.freebsd.org/~trociny/if_epair.c.epair_clone_destroy.1.patch -- Mikolaj Golub