Date: Fri, 16 Dec 2016 15:55:41 -0700 From: Alan Somers <asomers@freebsd.org> To: Mateusz Guzik <mjguzik@gmail.com> Cc: "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org> Subject: Re: svn commit: r310180 - head/sys/net Message-ID: <CAOtMX2h0ZqqeaWEnOF1Cm3dNR_3_2XTk4bB9pxVtTJ=XHZ3Z5A@mail.gmail.com> In-Reply-To: <20161216224535.GA6408@dft-labs.eu> References: <201612162239.uBGMdVSL027853@repo.freebsd.org> <20161216224535.GA6408@dft-labs.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 16, 2016 at 3:45 PM, Mateusz Guzik <mjguzik@gmail.com> wrote: > On Fri, Dec 16, 2016 at 10:39:31PM +0000, Alan Somers wrote: >> Author: asomers >> Date: Fri Dec 16 22:39:30 2016 >> New Revision: 310180 >> URL: https://svnweb.freebsd.org/changeset/base/310180 >> >> Log: >> Fix panic during lagg destruction with simultaneous status check >> >> If you run "ifconfig lagg0 destroy" and "ifconfig lagg0" at the same time a >> page fault may result. The first process will destroy ifp->if_lagg in >> lagg_clone_destroy (called by if_clone_destroy). Then the second process >> will observe that ifp->if_lagg is NULL at the top of lagg_port_ioctl and >> goto fallback: where it will promptly dereference ifp->if_lagg anyway. >> >> The solution is to repeat the NULL check for ifp->if_lagg >> > > I don't understand how this solves the problem. What prevents the object > from getting freed after the pointer got NULLified? That is, it seems > the patch turns a null pointer deref into a use-after-free. > > There seems to be a refcounting issue here. > > That said, I only did cursory reading. What object are you talking about? The problem solved by this commit is the null-pointer dereference in the thread calling lagg_port_ioctl, for example "ifconfig lagg0".
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2h0ZqqeaWEnOF1Cm3dNR_3_2XTk4bB9pxVtTJ=XHZ3Z5A>