kern/93170 : Changing system date causes panic in nd6_timer
David Malone
dwmalone at maths.tcd.ie
Sat Feb 11 09:00:24 PST 2006
The following reply was made to PR kern/93170; it has been noted by GNATS.
From: David Malone <dwmalone at maths.tcd.ie>
To: bug-followup at FreeBSD.org, kris at FreeBSD.org
Cc: rwatson at FreeBSD.org, iedowse at maths.tcd.ie, dwmalone at maths.tcd.ie
Subject: Re: kern/93170 : Changing system date causes panic in nd6_timer
Date: Sat, 11 Feb 2006 16:59:38 +0000
I'm fairly sure I know what's going on here, as I've seen a few
more of these panics. There seems to be a bundle of IPv6 neighbour
discovery code that uses splnet() and hasn't had any locking added
to it yet. One of these bits of code is walking some global lists
and is obviously getting into trouble.
I believe this same code is also causing dirhash panics people have
reported 'cos some of the memory it is using is getting reused by
dirhash.
I sent the message below to Robert a while ago - since I haven't
heard back from him, I'm going to have a go at adding some locking.
David.
Subject: IPv6 address list locking.
Date: Fri, 20 Jan 2006 17:48:57 +0000
From: David Malone <dwmalone at maths.tcd.ie>
Message-ID: <200601201748.aa69772 at salmon.maths.tcd.ie>
Hi Robert,
I've been trying to trace some use-after-free problems that have
paniced the kernel in dirhash. A few weeks ago I got a panic that
indicated that the ifnet malloc pool might be the problem. Using
memguard on my desktop in Dublin paniced today and, judging by the
reports of the guy who reset it for me, it paniced at nd6_timer+0xe8.
This looks like a bit of nd6_timer code that accesses a global list
of IPv6 addresses stored in a variable called in6_ifaddr. Rather
annoyingly this variable has the same name as a structure, so it
is difficult to grep for. However, I don't see any locking of
accesses to this variable.
Do you have a scheme for locking globals like this in the IPv6
stack? Does it look like nd6_timeout is violaing this locking?
David.
in6.c: for (ia = in6_ifaddr; ia; ia = ia->ia_next) {
in6.c: for (ia = in6_ifaddr; ia; ia = ia->ia_next) {
in6.c: for (ia = in6_ifaddr; ia; ia = ia->ia_next) {
in6_src.c: for (ia = in6_ifaddr; ia; ia = ia->ia_next) {
nd6.c: for (ia6 = in6_ifaddr; ia6; ia6 = nia6) {
nd6.c: for (ia = in6_ifaddr; ia; ia = ia_next) {
nd6_rtr.c: for (ifa = in6_ifaddr; ifa; ifa = ifa->ia_next) {
nd6_rtr.c: for (ifa = in6_ifaddr; ifa; ifa = ifa->ia_next) {
nd6_rtr.c: for (ifa = in6_ifaddr; ifa; ifa = ifa->ia_next) {
nd6_rtr.c: for (ia = in6_ifaddr; ia; ia = ia->ia_next) {
More information about the freebsd-bugs
mailing list