Page MenuHomeFreeBSD

mbuf: do not restore dying interfaces
ClosedPublic

Authored by kp on Jan 28 2022, 10:34 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 5, 2:09 AM
Unknown Object (File)
Nov 25 2024, 2:21 PM
Unknown Object (File)
Nov 24 2024, 10:55 PM
Unknown Object (File)
Nov 24 2024, 4:49 AM
Unknown Object (File)
Oct 22 2024, 1:58 PM
Unknown Object (File)
Oct 22 2024, 8:35 AM
Unknown Object (File)
Oct 21 2024, 9:16 PM
Unknown Object (File)
Oct 3 2024, 10:20 PM

Details

Summary

When we remove an interface it is first removed from the interface list
V_ifnet (by if_unlink_ifnet()) and marked as IFF_DYING. We then wait for
any possible references to stop being used (i.e.
epoch_wait/epoch_drain_callbacks) before we tear it fully down.

However, the index in ifindex_table is not removed, so m_rcvif_restore()
can still find the (now dying) interface.

This results in panics, for example when dummynet restores the rcvif
pointer and passes a packet to ip6_input() we can panic because the
AF_INET6 domain has already been removed (so we end up dereferencing a
NULL pointer there).

Check that the interface is not dying before we restore it, which is
equivalent to checking its presence in V_ifnet, and thus ensures that
future accesses (while in NET_EPOCH) are safe.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 44139
Build 41027: arc lint + arc unit

Event Timeline

kp requested review of this revision.Jan 28 2022, 10:34 AM

Remove mostly unrelated dummynet fix

Why can't we remove it from the ifindex, too? That would be a normal delayed free practice: remove all references to a structure, mark it as being deleted and wait for threads that hold a reference to finish.

Note: we set this flag twice: if_unlink_vnet() and if_free(). This doesn't look consistent.

Why can't we remove it from the ifindex, too? That would be a normal delayed free practice: remove all references to a structure, mark it as being deleted and wait for threads that hold a reference to finish.

That might be better. I'll take a closer look at that tomorrow, when I'm sure I'm not going to break if_vmove().

I'm also digging that. I think your patch is fine as temporary measure.

This revision is now accepted and ready to land.Jan 28 2022, 5:52 PM
This revision was automatically updated to reflect the committed changes.