Kernel crash on nd6_dad_timer
AbandonedPublic
Actions

Authored by steven_chen3_dell.com on Nov 1 2023, 8:25 AM.

Tags

None

Referenced Files

	Unknown Object (File)
	Thu, May 9, 10:08 PM

	Unknown Object (File)
	Thu, May 9, 6:16 AM

	Unknown Object (File)
	Fri, Apr 26, 2:10 AM

	Unknown Object (File)
	Apr 7 2024, 8:56 PM

	Unknown Object (File)
	Apr 7 2024, 5:41 PM

	Unknown Object (File)
	Feb 19 2024, 10:11 PM

	Unknown Object (File)
	Feb 10 2024, 9:40 PM

	Unknown Object (File)
	Dec 20 2023, 6:31 AM

Subscribers

Details

Reviewers

melifaro

Group Reviewers

network

Summary

after nd6_dad_start is called, but before nd6_dad_timer run, if system start sleep, which will trigger nd6_dad_stop run, then before system suspend, nd6_dad_timer run, then kernel will access the freed memory.

Test Plan

sleep,resume test, after 600+ times

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

steven_chen3_dell.com created this revision.Nov 1 2023, 8:25 AM

Herald added subscribers: glebius, ae, imp. · View Herald TranscriptNov 1 2023, 8:25 AM

steven_chen3_dell.com requested review of this revision.Nov 1 2023, 8:25 AM

ae added inline comments.Nov 1 2023, 9:49 AM

sys/netinet6/nd6_nbr.c
1257	This also looks like access after free.

zlei added a reviewer: network.Nov 1 2023, 4:41 PM

zlei added a subscriber: zlei.

change the parameter of nd6_dad_timer to ifa, then before run, find dp by ifa.

steven_chen3_dell.com added inline comments.Nov 6 2023, 4:27 AM

sys/netinet6/nd6_nbr.c
1257	Yes, you are right, thank you! I am too careless. I have updated my diff now.

steven_chen3_dell.com abandoned this revision.Nov 14 2023, 8:10 AM

steven_chen3_dell.com marked an inline comment as not done.

Revision Contents
Changeset List

Path

Size

sys/

netinet6/

nd6_nbr.c

25 lines

Diff 129611

View Options

Kernel crash on nd6_dad_timerAbandonedPublicActions