Kernel crash on nd6_dad_timer
AbandonedPublic
Actions

Authored by steven_chen3_dell.com on Nov 1 2023, 8:25 AM.

Tags

None

Referenced Files

	Unknown Object (File)
	Fri, Mar 6, 9:19 PM

	Unknown Object (File)
	Fri, Mar 6, 11:30 AM

	Unknown Object (File)
	Fri, Mar 6, 4:56 AM

	Unknown Object (File)
	Wed, Mar 4, 5:46 AM

	Unknown Object (File)
	Feb 9 2026, 1:31 AM

	Unknown Object (File)
	Jan 3 2026, 1:14 PM

	Unknown Object (File)
	Dec 30 2025, 9:26 AM

	Unknown Object (File)
	Dec 28 2025, 7:54 PM

Subscribers

Details

Reviewers

melifaro

Group Reviewers

network

Summary

after nd6_dad_start is called, but before nd6_dad_timer run, if system start sleep, which will trigger nd6_dad_stop run, then before system suspend, nd6_dad_timer run, then kernel will access the freed memory.

Test Plan

sleep,resume test, after 600+ times

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

steven_chen3_dell.com created this revision.Nov 1 2023, 8:25 AM

Herald added subscribers: glebius, ae, imp. · View Herald TranscriptNov 1 2023, 8:25 AM

steven_chen3_dell.com requested review of this revision.Nov 1 2023, 8:25 AM

ae added inline comments.Nov 1 2023, 9:49 AM

sys/netinet6/nd6_nbr.c
1257	This also looks like access after free.

zlei added a reviewer: network.Nov 1 2023, 4:41 PM

zlei added a subscriber: zlei.

change the parameter of nd6_dad_timer to ifa, then before run, find dp by ifa.

steven_chen3_dell.com added inline comments.Nov 6 2023, 4:27 AM

sys/netinet6/nd6_nbr.c
1257	Yes, you are right, thank you! I am too careless. I have updated my diff now.

steven_chen3_dell.com abandoned this revision.Nov 14 2023, 8:10 AM

steven_chen3_dell.com marked an inline comment as not done.

Revision Contents
Changeset List

Path

Size

sys/

netinet6/

nd6_nbr.c

25 lines

Diff 129611

View Options

Kernel crash on nd6_dad_timerAbandonedPublicActions