GPF when doing jail -r, possibly an use-after-free
Mikolaj Golub
trociny at freebsd.org
Wed Jul 4 07:01:04 UTC 2012
On Tue, 03 Jul 2012 10:45:40 -0700 Xin Li wrote:
XL> Hi,
XL> I've talked with bz@ briefly about this and we think it's better to
XL> put this to a mailing list.
XL> Here is what I have seen on 8.2-RELEASE (with a few local patches).
XL> When doing "jail -r <jid>", after a while, a GPF happens here, in
XL> sys/net/vnet.c:
XL> /*
XL> * Destroy a virtual network stack.
XL> */
XL> void
XL> vnet_destroy(struct vnet *vnet)
XL> {
XL> struct ifnet *ifp, *nifp;
XL> [...]
XL> /* Return all inherited interfaces to their parent vnets. */
XL> TAILQ_FOREACH_SAFE(ifp, &V_ifnet, if_link, nifp) {
XL> ---> if (ifp->if_home_vnet != ifp->if_vnet)
XL> if_vmove(ifp, ifp->if_home_vnet);
XL> }
XL> Where I saw %esi and %edi as "0xdeadc0de", so my understanding is that
XL> there is an use-after-free somewhere. I'm still trying to track this
XL> bug down.
XL> In this configuration we used bridge and epair to communicate with the
XL> jail. Teardown of the bridge would bring the underlying interface
XL> down and up, not sure if that's related though.
Is this observed after destroying epair? There is an issue with epair: on
destroy, when epair_clone_destroy() calls ether_ifdetach() for its second half
it does not switch to its vnet and if_detach_internal() can't find the
interface and just returns. As a result V_ifnet list is left with dead
reference.
http://lists.freebsd.org/pipermail/freebsd-virtualization/2011-January/000628.html
Here is an updated patch against CURRENT:
http://people.freebsd.org/~trociny/if_epair.c.epair_clone_destroy.1.patch
--
Mikolaj Golub
More information about the freebsd-virtualization
mailing list