Re: General Protection Fault in prelist_remove()

From: Ryan Stone <rysto32_at_gmail.com>
Date: Sat, 15 Nov 2014 16:17:35 -0500
On Mon, Sep 16, 2013 at 1:10 PM, Mark Johnston <markj_at_freebsd.org> wrote:
> I've partially fixed this at work by adding a rw lock to protect access
> to the the prefix, default router, and DAD lists. The patch is here:
> http://people.freebsd.org/~markj/patches/ndp-locking.diff

Hi Mark,

I've hit a bug in this patch today.  The problem is in the locking of
the DAD list.  Many functions (e.g.
nd6_dad_duplicated) call nd6_dad_find() to look up a dadq structure,
and then manipulate the structure with no lock held.  The problem that
once nd6_dad_find() releases the ND lock there is nothing preventing
another thread from going in and free'ing the structure.  This causes
a use-after-free in nd6_dad_duplicated.  I have a setup which is
somehow triggering DAD on link-local addresses (I don't understand
why; I don't have duplicate mac addresses on the network as best that
I can tell) and with INVARIANTS on I very frequently get a crash in
nd6_dad_duplicated.


It looks to me that the only way to fix it is either introduce
referencing counting into the structure, or push the locking out of
nd6_dad_find() and into the callers.  Any opinions?
Received on Sat Nov 15 2014 - 20:17:35 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:54 UTC