OK, thanks.
-- Steve Read
On 26.05.2014 11:24, Bjoern A. Zeeb wrote:
On 26 May 2014, at 09:11 , Steve Read <steve.r...@netasq.com> wrote:
I have recently encountered an interesting double-free crash in
prelist_remove() (management of IPv6 prefixes used by interface addresses)
using a modified version of 9.2. We've seen this once.
It appears that two userland threads tried simultaneously to remove the last
interface address that referenced a particular prefix, and both, therefore,
tried to remove it from the global list of prefixes. (Feel free to correct my
interpretation of the purpose of prelist_remove and how it is invoked.) One of
them succeeded, and the other was left holding a chunk of free()ed memory, and
crashed when trying to delete it.
I looked at the code surrounding this function, and I can find no sign of locking around the
prefix list or, indeed, anywhere in the call-stack
(sys_ioctl=>kern_ioctl=>soo_ioctl==>ifi_ioctl=>in6_control=>prelist_remove). I
looked in HEAD, and this part of the code appears to be more or less the same, in particular
the question of locking.
Should I submit a PR (no, we can't retry with a generic kernel)?
No need to for either.
markj@ has a patch to fix a good deal of racy prefix list locking which needs
review and testing.
—
Bjoern A. Zeeb "Come on. Learn, goddamn it.", WarGames, 1983
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
