Page MenuHomeFreeBSD
Differential D18906

Fix an LLE lookup race.
ClosedPublic
Actions

Authored by markj on Jan 20 2019, 5:36 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 5, 2:51 AM
Unknown Object (File)
Sat, Nov 23, 7:59 PM
Unknown Object (File)
Nov 19 2024, 2:05 PM
Unknown Object (File)
Nov 18 2024, 2:01 AM
Unknown Object (File)
Nov 17 2024, 5:23 PM
Unknown Object (File)
Nov 11 2024, 2:36 PM
Unknown Object (File)
Nov 11 2024, 2:35 PM
Unknown Object (File)
Nov 11 2024, 1:55 AM
View All 85 Files
Subscribers
ae
emaste
imp

Details

Reviewers
bz
Group Reviewers
network
Commits
rS343363: Fix an LLE lookup race.
Summary

In r334118, uses of the afdata read lock were converted to epoch
sections. In the old locking protocol for LLEs, the afdata read lock
was used to synchronize lookups with lltable table updates, which were
and are performed with the afdata write lock held. Now, the afdata
write lock doesn't block readers from observing a "doomed" LLE that is
still linked into the lltable. Such a reader may block on the LLE lock
held by the thread that is expiring the LLE, so it effectively holds a
reference on the LLE without having updated its refcount. The thread
preparing to free the LLE will release the LLE write lock after having
scheduled the LLE for a deferred free with epoch_call(); the reader may
then schedule the LLE timer, resulting in a use-after-free when the
callout fires.

Fix the problem by checking for the LLE_LINKED flag after having
acquired the LLE lock during a lookup. If the LLE was unlinked while
the thread performing the lookup was blocked, then upon acquiring the
LLE lock it should just pretend that it never saw the LLE in the first
place. The use of epoch(9) ensures that the LLE won't be freed while
we're blocked on the LLE lock.

Note that LLE_UNLOCKED lookups are unaffected, since the caller cannot
acquire a new reference to the LLE.

Test Plan

A number of users running 12.0 have reported panics that I believe
are caused by this bug; they've been testing this patch and have not
yet observed any new panics.

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 22059
Build 21287: arc lint + arc unit

Event Timeline

markj created this revision.Jan 20 2019, 5:36 PM
Herald added a subscriber: ae. · View Herald TranscriptJan 20 2019, 5:36 PM
Harbormaster completed remote builds in B22059: Diff 53041.Jan 20 2019, 5:36 PM
markj edited the test plan for this revision. (Show Details)Jan 20 2019, 5:37 PM
markj added a reviewer: network.
emaste added a subscriber: emaste.Jan 20 2019, 10:20 PM
markj added a comment.Jan 22 2019, 3:40 PM

Ping? Is anyone interested in reviewing this?

bz added a reviewer: bz.Jan 23 2019, 6:09 PM
bz mentioned this in D18887: Fix refcounting leaks in IPv6 MLD code leading to loss of IPv6 connectivity.Jan 23 2019, 9:09 PM
bz accepted this revision.Jan 23 2019, 9:18 PM

I am accepting it as it seems all correct. Given you said you want an EN for this as well, you might consider to split it up into two parts so that only the real functional fix would later be part of the EN.

sys/netinet/in.c
1392

While fixing the order of statements here, I can't see how this contributes to the solution of the problem. I think you should just commit that independently.

sys/netinet6/in6.c
2338

Same as above.

This revision is now accepted and ready to land.Jan 23 2019, 9:18 PM
emaste added a comment.Jan 23 2019, 9:41 PM

Here's a copy of the errata template:

errata-template4 KBDownload

After commit and MFC please fill out as much as you can and email to re@ and so@ to move the errata along.

Closed by commit rS343363: Fix an LLE lookup race. (authored by markj). · Explain WhyJan 23 2019, 10:18 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: imp. · View Herald TranscriptJan 23 2019, 10:18 PM

Revision Contents
Changeset List

PathSize
sys/
netinet/
21 lines
netinet6/
21 lines

Diff 53041

View Options

sys/netinet/in.c

Loading...
View Options

sys/netinet6/in6.c

Loading...