Page MenuHomeFreeBSD
Differential D23009

Take the ifnet's address lock in igmp_v3_cancel_link_timers().
ClosedPublic
Actions

Authored by markj on Jan 2 2020, 5:00 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Oct 5, 3:36 AM
Unknown Object (File)
Sat, Sep 20, 4:46 AM
Unknown Object (File)
Tue, Sep 16, 5:20 PM
Unknown Object (File)
Aug 25 2025, 10:47 PM
Unknown Object (File)
Aug 5 2025, 4:00 PM
Unknown Object (File)
Aug 2 2025, 7:34 PM
Unknown Object (File)
Jul 27 2025, 11:54 AM
Unknown Object (File)
Jul 27 2025, 6:12 AM
View All 75 Files
Subscribers
imp

Details

Reviewers
hselasky
Group Reviewers
network
Commits
rS356321: Take the ifnet's address lock in igmp_v3_cancel_link_timers().
Summary

inm_rele_locked() may remove the multicast address associated with inm.

Reported by: syzbot+871c5d1fd5fac6c28f52@syzkaller.appspotmail.com

Test Plan

I don't have a test for it yet, syzkaller did not generate a reproducer.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Jan 2 2020, 5:00 PM
Harbormaster completed remote builds in B28441: Diff 66254.Jan 2 2020, 5:00 PM
markj edited the test plan for this revision. (Show Details)Jan 2 2020, 5:01 PM
markj added reviewers: hselasky, network.
markj added a comment.Jan 2 2020, 5:09 PM

Also note that this change is consistent with mld_v2_cancel_link_timers().

hselasky requested changes to this revision.Jan 2 2020, 5:56 PM

Looks good.

And add to the commit message that inm_disconnect() asserts the IF_ADDR_WLOCK() .

You might want to move this assert one level up and into: inm_rele_locked() ....

Then you see there is also a call at line 1891, which needs IF_ADDR_WLOCK() around it.

Might be better to only lock when inm_refcount == 0.

This revision now requires changes to proceed.Jan 2 2020, 5:56 PM
markj added a comment.Jan 2 2020, 6:12 PM
In D23009#504106, @hselasky wrote:

Looks good.

And add to the commit message that inm_disconnect() asserts the IF_ADDR_WLOCK() .

You might want to move this assert one level up and into: inm_rele_locked() ....

That assertion would be wrong for the call in igmp_initial_join(), where the refcount is > 1.

Then you see there is also a call at line 1891, which needs IF_ADDR_WLOCK() around it.

The caller, igmp_fasttimo_vnet(), already takes the addr wlock.

Might be better to only lock when inm_refcount == 0.

hselasky accepted this revision.Jan 2 2020, 6:17 PM

OK.

This revision is now accepted and ready to land.Jan 2 2020, 6:17 PM
Closed by commit rS356321: Take the ifnet's address lock in igmp_v3_cancel_link_timers(). (authored by markj). · Explain WhyJan 3 2020, 5:03 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rS356321: Take the ifnet's address lock in igmp_v3_cancel_link_timers()..
Herald added a subscriber: imp. · View Herald TranscriptJan 3 2020, 5:03 PM

Revision Contents
Changeset List

PathSize
head/
sys/
netinet/
6 lines

Diff 66305

View Options

head/sys/netinet/igmp.c

Loading...