From owner-freebsd-current@FreeBSD.ORG Sat Nov 15 21:17:35 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D8C6CCCB; Sat, 15 Nov 2014 21:17:35 +0000 (UTC) Received: from mail-ie0-x230.google.com (mail-ie0-x230.google.com [IPv6:2607:f8b0:4001:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A0270923; Sat, 15 Nov 2014 21:17:35 +0000 (UTC) Received: by mail-ie0-f176.google.com with SMTP id rd18so19787901iec.21 for ; Sat, 15 Nov 2014 13:17:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9m3J4SV7UpugnaChDq+wmGQwsZ93V4II+DJ/ntmRxb8=; b=GWeiyiNSZjdy0xEjeWs5OIJ7k+unZ4Jk/dIEflDAMlUAqmlEABOcafACPEgJ/Jrak9 Znz/xfQOLlsdt7NQqCuyMDZRnpOR2dwvj6gXm3euGUKlxF5d3WaCEDHxaEZbDwXDjHue rfTlgASo4q8bMefNxnP2vYiQjWXiwgeLpW3Db8vXsQKSdaoZccX2ixVL8L6doBox088v OsdijRbO9t76IQ96LXuwpJfgEv9Az5gPjDGWsjObSflLvw+yH4couHg+z/ddRtRjSpWi 2ItV/zd1mNtmiH/JnIGmfDzafM0yon1ddCoDadKH0eHYaucns/beOGdHFeWhZoDaPd+Q 79lA== MIME-Version: 1.0 X-Received: by 10.50.56.15 with SMTP id w15mr15446262igp.39.1416086255082; Sat, 15 Nov 2014 13:17:35 -0800 (PST) Received: by 10.107.19.34 with HTTP; Sat, 15 Nov 2014 13:17:35 -0800 (PST) In-Reply-To: <20130916171016.GA1509@charmander> References: <52372362.10506@bitfrost.no> <20130916171016.GA1509@charmander> Date: Sat, 15 Nov 2014 16:17:35 -0500 Message-ID: Subject: Re: General Protection Fault in prelist_remove() From: Ryan Stone To: Mark Johnston Content-Type: text/plain; charset=UTF-8 Cc: Hans Petter Selasky , FreeBSD Current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2014 21:17:35 -0000 On Mon, Sep 16, 2013 at 1:10 PM, Mark Johnston wrote: > I've partially fixed this at work by adding a rw lock to protect access > to the the prefix, default router, and DAD lists. The patch is here: > http://people.freebsd.org/~markj/patches/ndp-locking.diff Hi Mark, I've hit a bug in this patch today. The problem is in the locking of the DAD list. Many functions (e.g. nd6_dad_duplicated) call nd6_dad_find() to look up a dadq structure, and then manipulate the structure with no lock held. The problem that once nd6_dad_find() releases the ND lock there is nothing preventing another thread from going in and free'ing the structure. This causes a use-after-free in nd6_dad_duplicated. I have a setup which is somehow triggering DAD on link-local addresses (I don't understand why; I don't have duplicate mac addresses on the network as best that I can tell) and with INVARIANTS on I very frequently get a crash in nd6_dad_duplicated. It looks to me that the only way to fix it is either introduce referencing counting into the structure, or push the locking out of nd6_dad_find() and into the callers. Any opinions?