Page MenuHomeFreeBSD
Differential D26586

ng_l2tp: Fix synchronization with node shutdown or reset
AbandonedPublic
Actions

Authored by mjg on Sep 29 2020, 1:24 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Mar 24, 7:42 PM
Unknown Object (File)
Mar 21 2024, 6:17 PM
Unknown Object (File)
Mar 21 2024, 6:17 PM
Unknown Object (File)
Mar 21 2024, 5:44 PM
Unknown Object (File)
Feb 26 2024, 4:53 PM
Unknown Object (File)
Jan 15 2024, 5:09 AM
Unknown Object (File)
Jan 6 2024, 7:57 PM
Unknown Object (File)
Dec 22 2023, 10:58 PM
View All 34 Files
Subscribers
donner
melifaro
mjg

Details

Reviewers
donner
glebius
bz
afedorov
markj
Summary

ng_l2tp_seq_reset() clears sequence number state for a node but does so
without holding the associated mutex. It stops callouts first but
without the mutex this is racy. This can be triggered by node shutdown
or a NGM_L2TP_SET_CONFIG message with "enabled" set to 0.

Also modify the shutdown code to block until callouts are finished
executing before freeing memory. ng_uncallout() does not, and cannot,
cancel a running callout.

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 33875
Build 31083: arc lint + arc unit

Event Timeline

markj created this revision.Sep 29 2020, 1:24 PM
Herald added subscribers: melifaro, donner. · View Herald TranscriptSep 29 2020, 1:24 PM
markj requested review of this revision.Sep 29 2020, 1:24 PM
Harbormaster completed remote builds in B33875: Diff 77629.Sep 29 2020, 1:24 PM
markj added reviewers: donner, glebius, bz, afedorov.Sep 29 2020, 1:25 PM
donner added inline comments.Sep 29 2020, 8:13 PM
sys/netgraph/ng_l2tp.c
660–661

ng_uncallout calls NG_FREE_ITEM(...->c_arg), too.
How is this handled now? By waiting for the callout to do it itself?

markj added inline comments.Sep 29 2020, 9:22 PM
sys/netgraph/ng_l2tp.c
660–661

Hmm, good question. This case is handled in the netgraph framework: when you use ng_callout(), a callout is scheduled using ng_callout_trampoline(), which uses a NGQF_FN message to execute the timeout handler in the context of a netgraph node. ng_apply_item() handles freeing the item after calling the function. So ng_uncallout() frees the item if it stopped the callout before it started executing, otherwise it is freed by the callout handler itself.

Note that ng_l2tp_seq_reset() calls ng_uncallout() already to stop the handlers. If that catches the handlers before they check callout_active() then they're ok. However, ng_l2tp_seq_rack_timeout() reschedules itself. So there is a (very narrow) race:

CPU 1:

  • in ng_l2tp_seq_rack_timeout()
  • reschedules the callout, allocating an item
  • drops seq->mtx, but does not return yet

CPU 2:

  • calls ng_l2tp_seq_reset(), calls ng_uncallout(&seq->rack_timer)
  • callout_stop() returns 0 because rack_timer is still executing
  • ng_uncallout() does not free the item allocated by CPU 1 above
  • item is leaked

I will think about it some more, but I think this problem is general to ng_callout()/ng_uncallout().

donner added a comment.Sep 30 2020, 6:54 AM

In order to prevent this race, the node should be know. that it's in shutdown. This way the callout can skip the reinvocation.
Another solution would be to free the c_arg argument manually.

mjg commandeered this revision.Aug 6 2021, 2:01 PM
mjg added a reviewer: markj.
mjg added a subscriber: mjg.

Take the revision as agreed with markj.

mjg abandoned this revision.Sep 17 2021, 12:50 AM

D31476

Revision Contents
Changeset List

PathSize
sys/
netgraph/
10 lines

Diff 77629

View Options

sys/netgraph/ng_l2tp.c

Loading...