Protect ng_iface(4) private data
ClosedPublic
Actions

Authored by eugen_grosbein.net on Sep 21 2017, 4:04 PM.

Details

Reviewers

avg
mav

Commits

rS324176: MFC r323873, r324081: Unprotected modification of ng_iface(4)
rS324175: MFC r323873, r324081: Unprotected modification of ng_iface(4)
rS323873: Unprotected modification of ng_iface(4) private data leads to kernel panic.

Summary

There is a race between ng_iface(4) using its private data to select a hook and send data and another kernel thread removing selected hook. Kernel panices in such case due to access to memory just freed.

See also https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220076 for backtrace details.

Test Plan

The nature of the race makes it hard to reproduce the bug, but it can easily happen using high loaded (or stress-tested) net/mpd5 installation.

Apply the patch.
Rebuild a kernel and/or ng_iface kernel module.
Run busy mpd5 server with hundreds of users reconnecting very often.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

eugen_grosbein.net created this revision.Sep 21 2017, 4:04 PM

Herald added a subscriber: imp. · View Herald TranscriptSep 21 2017, 4:04 PM

Other than the NULL pointer check, looks good to me.
Thank you!

sys/netgraph/ng_iface.c
459 ↗	(On Diff #33268)	I think that a NULL pointer check is missing here.

hook needs to be NULL-checked before refcounting.

Approved.

But please wait for a node from @mav.

This revision is now accepted and ready to land.Sep 21 2017, 4:37 PM

Looks good to me.

Closed by commit rS323873: Unprotected modification of ng_iface(4) private data leads to kernel panic. (authored by eugen). · Explain WhySep 21 2017, 8:16 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

head/

sys/

netgraph/

ng_iface.c

37 lines

Diff 33278

View Options

head/sys/netgraph/ng_iface.c

Protect ng_iface(4) private dataClosedPublicActions