Date: Mon, 22 Apr 2019 10:32:13 +0200 From: Hans Petter Selasky <hps@selasky.org> To: Enji Cooper <yaneurabeya@gmail.com> Cc: src-committers <src-committers@freebsd.org>, svn-src-all <svn-src-all@freebsd.org>, svn-src-head@freebsd.org Subject: Re: svn commit: r346530 - in head/sys: netinet netinet6 Message-ID: <f2567fc6-fd5b-67c9-a994-5a48d65d1278@selasky.org> In-Reply-To: <87917500-0381-79d8-a34b-819848abed32@selasky.org> References: <201904220727.x3M7ROpR009729@repo.freebsd.org> <2F3D6B17-AF4F-4B0F-B20E-5EF41DE851F9@gmail.com> <87917500-0381-79d8-a34b-819848abed32@selasky.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/22/19 10:10 AM, Hans Petter Selasky wrote: > On 4/22/19 9:52 AM, Enji Cooper wrote: >> >>> On Apr 22, 2019, at 12:27 AM, Hans Petter Selasky >>> <hselasky@FreeBSD.org> wrote: >>> >>> Author: hselasky >>> Date: Mon Apr 22 07:27:24 2019 >>> New Revision: 346530 >>> URL: https://svnweb.freebsd.org/changeset/base/346530 >>> >>> Log: >>> Fix panic in network stack due to memory use after free in relation to >>> fragmented packets. >>> >>> When sending IPv4 and IPv6 fragmented packets and a fragment is lost, >>> the mbuf making up the fragment will remain in the temporary hashed >>> fragment list for a while. If the network interface departs before the >>> so-called slow timeout clears the packet, the fragment causes a panic >>> when the timeout kicks in due to accessing a freed network interface >>> structure. >>> >>> Make sure that when a network device is departing, all hashed IPv4 and >>> IPv6 fragments belonging to it, get freed. >>> >>> Backtrace: >>> panic() >>> icmp6_reflect() >>> >>> hlim = ND_IFINFO(m->m_pkthdr.rcvif)->chlim; >>> ^^^^ rcvif->if_afdata[AF_INET6] is NULL. >>> >>> icmp6_error() >>> frag6_freef() >>> frag6_slowtimo() >>> pfslowtimo() >>> softclock_call_cc() >>> softclock() >>> ithread_loop() >>> >>> Differential Revision: https://reviews.freebsd.org/D19622 >>> Reviewed by: bz (network), adrian >>> MFC after: 1 week >>> Sponsored by: Mellanox Technologies >> >> This commit broke the build on mips, etc: >> >> 07:36:06 >> --- ip_reass.o --- >> >> 07:36:06 >> /usr/src/sys/netinet/ip_reass.c:641: error: expected ')' before '(' token >> >> 07:36:06 *** [ip_reass.o] Error code 1 >> >> EVENTHANDLER_DEFINE looks like it doesn’t work with gcc? > > I'm looking into it. > > Thank you! > > --HPS > > > Should be fixed by r346535 Else I'll revert. --HPS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f2567fc6-fd5b-67c9-a994-5a48d65d1278>