NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/49264: vlan(4): concurrent executions of ifconfig cause a fatal page fault



On Fri, Oct 10, 2014 at 03:43:14PM +0900, Ryota Ozaki wrote:
> With the same configuration, I got another kind of fatal page
> faults (see backtraces below).
> 
> In both cases, it seems that a ifnet data of vlan encounters
> use after free. I can work around the issue with this patch:
> 
> diff --git a/sys/net/if_vlan.c b/sys/net/if_vlan.c
> index 70a5940..d6aac2c 100644
> --- a/sys/net/if_vlan.c
> +++ b/sys/net/if_vlan.c
> @@ -251,10 +251,10 @@ vlan_clone_destroy(struct ifnet *ifp)
>         s = splnet();
>         LIST_REMOVE(ifv, ifv_list);
>         vlan_unconfig(ifp);
> -       splx(s);
> 
>         if_detach(ifp);
>         free(ifv, M_DEVBUF);
> +       splx(s);
> 
>         return (0);
>  }
> 
> I'm not sure if this fix is correct.

At first glance, I think the splx(s) needs to be between if_detach()
and free().
if_detach() needs to be called at splnet() but free() doesn't.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--


Home | Main Index | Thread Index | Old Index