From nobody Fri Jan 28 23:09:38 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B7B071988856; Fri, 28 Jan 2022 23:09:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JltSy4s3Kz4lHd; Fri, 28 Jan 2022 23:09:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1643411378; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wRRP8s/e3BDM+kZ1vy/GIZFKD7z85PV+HgQbXRtZ6pI=; b=wKkz1VyIbwY5eg/sOm45ZfkEoAgSecI3O4r0uDL/DZ43ojIlgSIMwzMBOaXi76126Coeqp GufWsqjE+CbEjaKBVduI9A2pX3qZOPUf1w4gDAe880dex0o2aojXNZeqGWINagqw7HlrxP NzaRatagm1NXYlTzgj04YtXN+wY0HSssqL89IhXR0sHEdOieGgXPIiyO+TZIegKhpiwIGx svY+62hWdIIYzuvfZJQ1C15Skt9lNfpnaPV1jdqeRUaWxHcF7svrmBs3zqsCBXiZbJPF0T USNND9t+J0FKqhW8ojiLY+v6nKvnBiqE5AzgzIPOfPKaAoI3/GnXhlLBFVBPzg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 86BC02C25; Fri, 28 Jan 2022 23:09:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 20SN9cXn066272; Fri, 28 Jan 2022 23:09:38 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 20SN9cmW066271; Fri, 28 Jan 2022 23:09:38 GMT (envelope-from git) Date: Fri, 28 Jan 2022 23:09:38 GMT Message-Id: <202201282309.20SN9cmW066271@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 703e533da5e2 - main - mbuf: do not restore dying interfaces List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 703e533da5e2e4743d38bbf4605fec041bc69976 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1643411378; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wRRP8s/e3BDM+kZ1vy/GIZFKD7z85PV+HgQbXRtZ6pI=; b=KEQwu63j8xHIUHInJxmvWWvlMJUQADCC7oFbOmAGhh3Qc29AE707eHaRv8IFT2/iOcDlWR cD1RlwAt807X8bBxoGksOMFsJf9CbhggO6srqlCtxPhdBrVK2Srs3BrYXeoU2xbflZd0u1 3L57ypiHFQ4ICkue+vIb9knPbn3lFbBz31mn63Jriv/Dq5imuptdhlrOBzPZo6XykvWObv 2Ny+VfkEuTikVp41uaF8Q9lVwjRD9KXe4XyVANYxR3bnGsaLEu/i0g4GVWp2BUMZuxJf66 bk8/zgcwzIPUjj0BEbIvVaxksJ2N6tkGVe0ZHlwrlXCBqrNyfdXW1G+56Y4XYA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1643411378; a=rsa-sha256; cv=none; b=DKMgor7tmiZjeoBTcPHxVI+Zrs+6lFWyboQP3B78DAUCFbiM3nPcFhahJBacr8UOs93Qak Z87fY0r2cXMgZmPC8zlHI87WAoNHixk3slxbd5Ke0eRlUzE/lUjPCo7ky0cTwNR+OG2t+I zlkHRbWdGRkZbGghqawLboT987O5LgNB2SJf0KQqa3rIHyaDi4feNLvfHmOWs8g8cJKBQc iiHxwnjWxkwZucTbz6OXh7nIb5Z3gD9xNecbRnFMn/DKkRuqH1/n9mDw5cGhJFrczYqae7 Ugf3TfcZZvNqZjtA9Nn/tbMhcz0/Ai5n/v4j7eGXrVr6p6s4i4zHuvv/pi7j1g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=703e533da5e2e4743d38bbf4605fec041bc69976 commit 703e533da5e2e4743d38bbf4605fec041bc69976 Author: Kristof Provost AuthorDate: 2022-01-27 21:01:09 +0000 Commit: Kristof Provost CommitDate: 2022-01-28 22:09:08 +0000 mbuf: do not restore dying interfaces When we remove an interface it is first removed from the interface list V_ifnet (by if_unlink_ifnet()) and marked as IFF_DYING. We then wait for any possible references to stop being used (i.e. epoch_wait/epoch_drain_callbacks) before we tear it fully down. However, the index in ifindex_table is not removed, so m_rcvif_restore() can still find the (now dying) interface. This results in panics, for example when dummynet restores the rcvif pointer and passes a packet to ip6_input() we can panic because the AF_INET6 domain has already been removed (so we end up dereferencing a NULL pointer there). Check that the interface is not dying before we restore it, which is equivalent to checking its presence in V_ifnet, and thus ensures that future accesses (while in NET_EPOCH) are safe. Reviewed by: glebius Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34076 --- sys/kern/kern_mbuf.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_mbuf.c b/sys/kern/kern_mbuf.c index 5c69f663c0e2..23050e991418 100644 --- a/sys/kern/kern_mbuf.c +++ b/sys/kern/kern_mbuf.c @@ -1650,11 +1650,16 @@ m_rcvif_serialize(struct mbuf *m) struct ifnet * m_rcvif_restore(struct mbuf *m) { + struct ifnet *ifp; M_ASSERTPKTHDR(m); + NET_EPOCH_ASSERT(); + + ifp = ifnet_byindexgen(m->m_pkthdr.rcvidx, m->m_pkthdr.rcvgen); + if (ifp == NULL || (ifp->if_flags & IFF_DYING)) + return (NULL); - return ((m->m_pkthdr.rcvif = ifnet_byindexgen(m->m_pkthdr.rcvidx, - m->m_pkthdr.rcvgen))); + return (m->m_pkthdr.rcvif = ifp); } /*