From owner-freebsd-bugs@FreeBSD.ORG Wed May 14 21:50:07 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F040137B401 for ; Wed, 14 May 2003 21:50:06 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE12D43F93 for ; Wed, 14 May 2003 21:50:05 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h4F4o5Up019139 for ; Wed, 14 May 2003 21:50:05 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h4F4o5Z3019138; Wed, 14 May 2003 21:50:05 -0700 (PDT) Resent-Date: Wed, 14 May 2003 21:50:05 -0700 (PDT) Resent-Message-Id: <200305150450.h4F4o5Z3019138@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jinmei Tatuya Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6132137B401 for ; Wed, 14 May 2003 21:49:44 -0700 (PDT) Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp [202.249.10.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id D416D43F3F for ; Wed, 14 May 2003 21:49:43 -0700 (PDT) (envelope-from jinmei@shuttle.wide.toshiba.co.jp) Received: from shuttle.wide.toshiba.co.jp (localhost [::1]) by shuttle.wide.toshiba.co.jp (Postfix) with ESMTP id BAF3015253 for ; Thu, 15 May 2003 13:49:42 +0900 (JST) Received: (from jinmei@localhost)h4F4ngYL084992; Thu, 15 May 2003 13:49:42 +0900 (JST) Message-Id: <200305150449.h4F4ngYL084992@shuttle.wide.toshiba.co.jp> Date: Thu, 15 May 2003 13:49:42 +0900 (JST) From: Jinmei Tatuya To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/52260: sys/net/if.c:if_detach in FreeBSD4 forgets resetting the ifindex2ifnet array X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jinmei Tatuya List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2003 04:50:07 -0000 >Number: 52260 >Category: kern >Synopsis: sys/net/if.c:if_detach in FreeBSD4 forgets resetting the ifindex2ifnet array >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed May 14 21:50:05 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Jinmei Tatuya >Release: FreeBSD 4.8-RELEASE i386 >Organization: Toshiba Corporation / the KAME Project >Environment: System: FreeBSD tachyon.jinmei.org 4.8-RELEASE FreeBSD 4.8-RELEASE #7: Thu May 8 22:57:19 JST 2003 jinmei@tachyon.jinmei.org:/home/jinmei/src/kame/kame/freebsd4/sys/compile/TACHYON_SCTP i386 machine: Toshiba Portege 2000 OS:FreeBSD 4.8 + KAME snap from the repository (around 20030510) (the bug is not specific to KAME snap, though) >Description: sys/net/if.c:if_detach() does not NULL-clear the corresponding ifindex2ifnet[] entry, so if we try to reuse the interface index for a detached interface, the kernel will refer to a dangling pointer and cause an unexpected behavior (perhaps a crash). FreeBSD current apparently does not have this bug. But this is quite critical, so I believe we should fix this on the FreeBSD-4 branch as well. >How-To-Repeat: I can't always reproduce the bug, but I once saw a kernel crash due to this when I remove an IEEE 802 PCMCIA device from the laptop while running rtsold on the wireless interface. >Fix: The following is a patch to FreeBSD 4.8 RELEASE to fix this. --- if.c.orig Thu May 15 12:58:18 2003 +++ if.c Thu May 15 12:58:37 2003 @@ -310,6 +310,7 @@ /* Announce that the interface is gone. */ rt_ifannouncemsg(ifp, IFAN_DEPARTURE); + ifindex2ifnet[ifp->if_index] = NULL; TAILQ_REMOVE(&ifnet, ifp, if_link); splx(s); } >Release-Note: >Audit-Trail: >Unformatted: