Page MenuHomeFreeBSD
Differential D23009

Take the ifnet's address lock in igmp_v3_cancel_link_timers().
ClosedPublic
Actions

Authored by markj on Jan 2 2020, 5:00 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Oct 20, 2:40 PM
Unknown Object (File)
Thu, Oct 16, 5:44 PM
Unknown Object (File)
Thu, Oct 16, 5:44 PM
Unknown Object (File)
Thu, Oct 16, 5:44 PM
Unknown Object (File)
Thu, Oct 16, 7:10 AM
Unknown Object (File)
Tue, Oct 14, 12:12 AM
Unknown Object (File)
Sun, Oct 5, 3:36 AM
Unknown Object (File)
Sep 20 2025, 4:46 AM
View All 81 Files
Subscribers
imp

Details

Reviewers
hselasky
Group Reviewers
network
Commits
rS356321: Take the ifnet's address lock in igmp_v3_cancel_link_timers().
Summary

inm_rele_locked() may remove the multicast address associated with inm.

Reported by: syzbot+871c5d1fd5fac6c28f52@syzkaller.appspotmail.com

Test Plan

I don't have a test for it yet, syzkaller did not generate a reproducer.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Jan 2 2020, 5:00 PM
Harbormaster completed remote builds in B28441: Diff 66254.Jan 2 2020, 5:00 PM
markj edited the test plan for this revision. (Show Details)Jan 2 2020, 5:01 PM
markj added reviewers: hselasky, network.
markj added a comment.Jan 2 2020, 5:09 PM

Also note that this change is consistent with mld_v2_cancel_link_timers().

hselasky requested changes to this revision.Jan 2 2020, 5:56 PM

Looks good.

And add to the commit message that inm_disconnect() asserts the IF_ADDR_WLOCK() .

You might want to move this assert one level up and into: inm_rele_locked() ....

Then you see there is also a call at line 1891, which needs IF_ADDR_WLOCK() around it.

Might be better to only lock when inm_refcount == 0.

This revision now requires changes to proceed.Jan 2 2020, 5:56 PM
markj added a comment.Jan 2 2020, 6:12 PM
In D23009#504106, @hselasky wrote:

Looks good.

And add to the commit message that inm_disconnect() asserts the IF_ADDR_WLOCK() .

You might want to move this assert one level up and into: inm_rele_locked() ....

That assertion would be wrong for the call in igmp_initial_join(), where the refcount is > 1.

Then you see there is also a call at line 1891, which needs IF_ADDR_WLOCK() around it.

The caller, igmp_fasttimo_vnet(), already takes the addr wlock.

Might be better to only lock when inm_refcount == 0.

hselasky accepted this revision.Jan 2 2020, 6:17 PM

OK.

This revision is now accepted and ready to land.Jan 2 2020, 6:17 PM
Closed by commit rS356321: Take the ifnet's address lock in igmp_v3_cancel_link_timers(). (authored by markj). · Explain WhyJan 3 2020, 5:03 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rS356321: Take the ifnet's address lock in igmp_v3_cancel_link_timers()..
Herald added a subscriber: imp. · View Herald TranscriptJan 3 2020, 5:03 PM

Revision Contents
Changeset List

PathSize
head/
sys/
netinet/
6 lines

Diff 66305

View Options

head/sys/netinet/igmp.c

Loading...