[Bug 225438] panic in6_unlink_ifa() due to race

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225438

--- Comment #1 from Dave Baukus <daveb at spectralogic.com> ---
Patching in6_unlink_ifa() with something like below only pushes the the crash
to
a double free in in6_leavegroup():

#11 0xffffffff804bf103 in panic (fmt=<value optimized out>) 
#12 0xffffffff8073765e in uma_dbg_free (zone=0xfffff81b7ffce000, ...)
#13 0xffffffff807370d4 in uma_zfree_arg (zone=0xfffff81b7ffce000, ...)
#14 0xffffffff8049a91b in free (addr=0xfffff801eb278c20,
mtp=0xffffffff80b5a980)
#15 0xffffffff80684b6f in in6_leavegroup (imm=0xfffff801eb278c20) 
#16 0xffffffff8067e83b in in6_purgeaddr (ifa=0xfffff8015b270600) 
#17 0xffffffff8067c355 in in6_control ()


% diff -du in6.c.orig  in6.c
--- in6.c.orig  2018-01-24 16:15:52.742977158 -0700
+++ in6.c       2018-01-24 16:17:29.140814668 -0700
@@ -1288,8 +1288,16 @@
        int remove_lle;

        IF_ADDR_WLOCK(ifp);
-       TAILQ_REMOVE(&ifp->if_addrhead, &ia->ia_ifa, ifa_link);
+       TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
+               if (ifa->ifa_addr->sa_family == AF_INET6 &&
+                   (struct in6_ifaddr *)ifa == ia) {
+                       TAILQ_REMOVE(&ifp->if_addrhead, &ia->ia_ifa, ifa_link);
+                       break;
+               }
+       }
        IF_ADDR_WUNLOCK(ifp);
+       if (ifa == NULL)
+               return;
        ifa_free(&ia->ia_ifa);                  /* if_addrhead */

-- 
You are receiving this mail because:
You are the assignee for the bug.