From nobody Fri Jan 23 22:37:12 2026 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dyXqY5j04z6Psxy for ; Fri, 23 Jan 2026 22:37:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dyXqY1Bjvz3rgd for ; Fri, 23 Jan 2026 22:37:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769207833; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BMKZP1+p47MWyRWEFU29SWcRMVDOStxI1k2awtjHhYg=; b=W2LHkA9K6nSGQ3T1wdhMQ10ghKny8bG8YIXOnYhmeVWlVo+tnlzmQmo2jaY52eTd+DV/CA 5zJhbVXFr2cTbDTlw2STnZK/URoLYjiWdqBZjg7wvIIH2/acakh/BC4/OzBcOUJ+ipK3f1 zb2JfwziKrJr5vwiT/107PfDVO5qYQcS5CWNDL9Dbp3AmifMkfUD7zFNIPvDIosxKV6W3b LpMdrPo+p0XBI9w5ccYv6V279UOEPM0w5kplYEns59cgAK7UGNZMNs9aWJ+YkxBWf5S/p7 BUnUZujXJzsbnVwX5f8PU3CaXGmn9ueVfa99qGFofmHPYNU4DU7P7sTy3XG0Gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769207833; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BMKZP1+p47MWyRWEFU29SWcRMVDOStxI1k2awtjHhYg=; b=Zw//KpRIW/H2oAakS32TFrryvONRl4LDoohsj14K2mbo0Qt2HPcC2KavgEOJ52fHgFL03u zT8qpkSvt++e2ANdUL9yIVdODWa2Bv4GaKdYislBrmL6GQDixZodpJnPdhQbuIRGQ7R8o8 8rzRtuqCoEqVHDanPYs8TlbZL0d5W0+EZiUbaq18JjmvlTtcY2GSaqQgbrV/cQ3hXtStfO EJSTFFNUtwo5A6qYBlYqI0+rLIW+SccokIV00RPZWAcCn1TiOUNaklQ/dgSrig0zGSniCC TgDmMGhVtCba6l8BTz8VDMwvAUFhkyaGo0v4w8eaxxudYynnDqahpm6Id5PR+A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1769207833; a=rsa-sha256; cv=none; b=Zbq2e3wrruh1t2yyFtgb42POe4TFCopTzxuQ1LYye7tLN4v8Dqb0woElwzSk2Lk9IM3lWR nSswVWKNyfzZyWO4lY41fGQgmBOOrrccZmd4XDpxNLli7vnQBHzMhRPpfFyZ1pgVpCcF1P 6bPMUWqPy8lSs11z+YBNdjAOpbLYic2e7lE51uJPqdKA+kkoFhsUVDT+1k8sVXqfYkWqXD jWzs3MEPVUgmRgvYqfqsfKLgiDko/5GywUB2UJAjaFKXuF75e2dV+hesoZhi+diXxOfcrl nvQ0e6Algoz/vOle7eLRq4Uo5V+ZcDqQQw8rKFDjzpT3Tmukh6x8y38JME2uPg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4dyXqY0nhFzfNQ for ; Fri, 23 Jan 2026 22:37:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 60NMbC4b098398 for ; Fri, 23 Jan 2026 22:37:12 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 60NMbCxK098397 for net@FreeBSD.org; Fri, 23 Jan 2026 22:37:12 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 279653] Page fault in in6_selecthlim Date: Fri, 23 Jan 2026 22:37:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.0-STABLE X-Bugzilla-Keywords: crash X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: needs_errata? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D279653 --- Comment #22 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3Df3de667137e90679cd20fa5c1dcd93a4c= 51ad848 commit f3de667137e90679cd20fa5c1dcd93a4c51ad848 Author: Gleb Smirnoff AuthorDate: 2026-01-23 22:18:18 +0000 Commit: Gleb Smirnoff CommitDate: 2026-01-23 22:18:18 +0000 netinet6: free in6_ifextra with epoch_call(9) This is expected to fix the old in6_selecthlim() panics. The nature of the panic is that a packet sending thread will obtain the struct ifnet pointer locklessly and then pick the if_inet6 pointer from it and dereference it. While the struct ifnet is freed via epoch_call(9), the struct in6_ifextra until this change was not. For the forwarded packet= s, or locally originated non-TCP packets we were probably safe due to the = old if_dead trick. But locally originated TCP packets may dereference in6_ifextra via direct call into in6_selecthlim() from the tcp_output(), before ip6_output(). NB: hypothetically a similar problem also applies to IPv4's if_inet pointer, but there are no known panics, yet. PR: 279653 Reviewed by: tuexen Differential Revision: https://reviews.freebsd.org/D54728 sys/netinet6/in6_ifattach.c | 25 ++++++++++++++++++++----- sys/netinet6/in6_var.h | 2 ++ 2 files changed, 22 insertions(+), 5 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=