[Bug 225438] panic in6_unlink_ifa() due to race
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Jan 24 23:21:39 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225438
--- Comment #1 from Dave Baukus <daveb at spectralogic.com> ---
Patching in6_unlink_ifa() with something like below only pushes the the crash
to
a double free in in6_leavegroup():
#11 0xffffffff804bf103 in panic (fmt=<value optimized out>)
#12 0xffffffff8073765e in uma_dbg_free (zone=0xfffff81b7ffce000, ...)
#13 0xffffffff807370d4 in uma_zfree_arg (zone=0xfffff81b7ffce000, ...)
#14 0xffffffff8049a91b in free (addr=0xfffff801eb278c20,
mtp=0xffffffff80b5a980)
#15 0xffffffff80684b6f in in6_leavegroup (imm=0xfffff801eb278c20)
#16 0xffffffff8067e83b in in6_purgeaddr (ifa=0xfffff8015b270600)
#17 0xffffffff8067c355 in in6_control ()
% diff -du in6.c.orig in6.c
--- in6.c.orig 2018-01-24 16:15:52.742977158 -0700
+++ in6.c 2018-01-24 16:17:29.140814668 -0700
@@ -1288,8 +1288,16 @@
int remove_lle;
IF_ADDR_WLOCK(ifp);
- TAILQ_REMOVE(&ifp->if_addrhead, &ia->ia_ifa, ifa_link);
+ TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
+ if (ifa->ifa_addr->sa_family == AF_INET6 &&
+ (struct in6_ifaddr *)ifa == ia) {
+ TAILQ_REMOVE(&ifp->if_addrhead, &ia->ia_ifa, ifa_link);
+ break;
+ }
+ }
IF_ADDR_WUNLOCK(ifp);
+ if (ifa == NULL)
+ return;
ifa_free(&ia->ia_ifa); /* if_addrhead */
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list