Kernel crash on nd6_dad_timer
AbandonedPublic
Actions

Authored by steven_chen3_dell.com on Nov 1 2023, 8:25 AM.

Tags

None

Referenced Files

	Unknown Object (File)
	Thu, Feb 20, 11:05 PM

	Unknown Object (File)
	Jan 9 2025, 5:28 PM

	Unknown Object (File)
	Dec 9 2024, 3:41 AM

	Unknown Object (File)
	Nov 7 2024, 8:42 AM

	Unknown Object (File)
	Sep 9 2024, 1:16 AM

	Unknown Object (File)
	Sep 9 2024, 12:27 AM

	Unknown Object (File)
	Sep 8 2024, 10:59 PM

	Unknown Object (File)
	Sep 2 2024, 11:55 PM

Subscribers

Details

Reviewers

melifaro

Group Reviewers

network

Summary

after nd6_dad_start is called, but before nd6_dad_timer run, if system start sleep, which will trigger nd6_dad_stop run, then before system suspend, nd6_dad_timer run, then kernel will access the freed memory.

Test Plan

sleep,resume test, after 600+ times

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

steven_chen3_dell.com created this revision.Nov 1 2023, 8:25 AM

Herald added subscribers: glebius, ae, imp. · View Herald TranscriptNov 1 2023, 8:25 AM

steven_chen3_dell.com requested review of this revision.Nov 1 2023, 8:25 AM

ae added inline comments.Nov 1 2023, 9:49 AM

sys/netinet6/nd6_nbr.c
1257	This also looks like access after free.

zlei added a reviewer: network.Nov 1 2023, 4:41 PM

zlei added a subscriber: zlei.

change the parameter of nd6_dad_timer to ifa, then before run, find dp by ifa.

steven_chen3_dell.com added inline comments.Nov 6 2023, 4:27 AM

sys/netinet6/nd6_nbr.c
1257	Yes, you are right, thank you! I am too careless. I have updated my diff now.

steven_chen3_dell.com abandoned this revision.Nov 14 2023, 8:10 AM

steven_chen3_dell.com marked an inline comment as not done.

Revision Contents
Changeset List

Path

Size

sys/

netinet6/

nd6_nbr.c

25 lines

Diff 129611

View Options

Kernel crash on nd6_dad_timerAbandonedPublicActions