Problem: no locking around IPv6 prefix structures in prelist_remove
    Steve Read 
    steve.read at netasq.com
       
    Mon May 26 09:19:36 UTC 2014
    
    
  
I have recently encountered an interesting double-free crash in 
prelist_remove() (management of IPv6 prefixes used by interface 
addresses) using a modified version of 9.2.  We've seen this once.
It appears that two userland threads tried simultaneously to remove the 
last interface address that referenced a particular prefix, and both, 
therefore, tried to remove it from the global list of prefixes.  (Feel 
free to correct my interpretation of the purpose of prelist_remove and 
how it is invoked.)  One of them succeeded, and the other was left 
holding a chunk of free()ed memory, and crashed when trying to delete it.
I looked at the code surrounding this function, and I can find no sign 
of locking around the prefix list or, indeed, anywhere in the call-stack 
(sys_ioctl=>kern_ioctl=>soo_ioctl==>ifi_ioctl=>in6_control=>prelist_remove). 
I looked in HEAD, and this part of the code appears to be more or less 
the same, in particular the question of locking.
Should I submit a PR (no, we can't retry with a generic kernel)?
-- Steve Read
    
    
More information about the freebsd-net
mailing list