Date: Tue, 03 Jul 2012 10:45:40 -0700 From: Xin Li <delphij@delphij.net> To: freebsd-virtualization@FreeBSD.org Cc: d@delphij.net Subject: GPF when doing jail -r, possibly an use-after-free Message-ID: <4FF32FC4.6020701@delphij.net>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I've talked with bz@ briefly about this and we think it's better to
put this to a mailing list.
Here is what I have seen on 8.2-RELEASE (with a few local patches).
When doing "jail -r <jid>", after a while, a GPF happens here, in
sys/net/vnet.c:
/*
* Destroy a virtual network stack.
*/
void
vnet_destroy(struct vnet *vnet)
{
struct ifnet *ifp, *nifp;
[...]
/* Return all inherited interfaces to their parent vnets. */
TAILQ_FOREACH_SAFE(ifp, &V_ifnet, if_link, nifp) {
- ---> if (ifp->if_home_vnet != ifp->if_vnet)
if_vmove(ifp, ifp->if_home_vnet);
}
Where I saw %esi and %edi as "0xdeadc0de", so my understanding is that
there is an use-after-free somewhere. I'm still trying to track this
bug down.
In this configuration we used bridge and epair to communicate with the
jail. Teardown of the bridge would bring the underlying interface
down and up, not sure if that's related though.
Cheers,
- --
Xin LI <delphij@delphij.net> https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)
iQEcBAEBCAAGBQJP8y/EAAoJEG80Jeu8UPuzsEkIAMIzkMu2r4YIJEg7eu24JUP1
LFDMLnDtzGz9N2OnMQbB8x5PwR+hOlWPqJkHwgj3Fh6x+uYVMxchcXCA+79htLdQ
dv8zWRtqmYTFFk6KpB4DvdeAtN9TFjtqLpVOiC9Umu/sMj4iXVd/At6+VVbhGIJA
Uzig4q1Skgt5PhfTDJQ+qqlOu4lQH+/U5+CC2fZbp8jGM3QY8UWPkAct6XiNJnEH
WmTsgwli8PPZcqp+hPR10Ca69JMZ2czC7U8KqM4tP2SY35Msw55GdlkI54rVkBy4
2AxQfr//NCilxdo1vDTLRQbWD9hUdSUiom0HJIEIHuwIsKzRz1CHSqlZ0KgR9ss=
=MRPu
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FF32FC4.6020701>