Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 04 Jul 2012 10:00:59 +0300
From:      Mikolaj Golub <trociny@freebsd.org>
To:        d@delphij.net
Cc:        freebsd-virtualization@FreeBSD.org
Subject:   Re: GPF when doing jail -r, possibly an use-after-free
Message-ID:  <86wr2kau38.fsf@in138.ua3>
In-Reply-To: <4FF32FC4.6020701@delphij.net> (Xin Li's message of "Tue, 03 Jul 2012 10:45:40 -0700")
References:  <4FF32FC4.6020701@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Tue, 03 Jul 2012 10:45:40 -0700 Xin Li wrote:

 XL> Hi,

 XL> I've talked with bz@ briefly about this and we think it's better to
 XL> put this to a mailing list.

 XL> Here is what I have seen on 8.2-RELEASE (with a few local patches).
 XL>  When doing "jail -r <jid>", after a while, a GPF happens here, in
 XL> sys/net/vnet.c:

 XL> /*
 XL>  * Destroy a virtual network stack.
 XL>  */
 XL> void
 XL> vnet_destroy(struct vnet *vnet)
 XL> {
 XL>         struct ifnet *ifp, *nifp;

 XL> [...]

 XL>         /* Return all inherited interfaces to their parent vnets. */
 XL>         TAILQ_FOREACH_SAFE(ifp, &V_ifnet, if_link, nifp) {
 XL> --->            if (ifp->if_home_vnet != ifp->if_vnet)
 XL>                         if_vmove(ifp, ifp->if_home_vnet);
 XL>         }

 XL> Where I saw %esi and %edi as "0xdeadc0de", so my understanding is that
 XL> there is an use-after-free somewhere.  I'm still trying to track this
 XL> bug down.

 XL> In this configuration we used bridge and epair to communicate with the
 XL> jail.  Teardown of the bridge would bring the underlying interface
 XL> down and up, not sure if that's related though.

Is this observed after destroying epair? There is an issue with epair: on
destroy, when epair_clone_destroy() calls ether_ifdetach() for its second half
it does not switch to its vnet and if_detach_internal() can't find the
interface and just returns. As a result V_ifnet list is left with dead
reference.

http://lists.freebsd.org/pipermail/freebsd-virtualization/2011-January/000628.html

Here is an updated patch against CURRENT:

http://people.freebsd.org/~trociny/if_epair.c.epair_clone_destroy.1.patch

-- 
Mikolaj Golub

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86wr2kau38.fsf>