NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/49264: vlan(4): concurrent executions of ifconfig cause a fatal page fault
On Fri, Oct 10, 2014 at 03:43:14PM +0900, Ryota Ozaki wrote:
> With the same configuration, I got another kind of fatal page
> faults (see backtraces below).
>
> In both cases, it seems that a ifnet data of vlan encounters
> use after free. I can work around the issue with this patch:
>
> diff --git a/sys/net/if_vlan.c b/sys/net/if_vlan.c
> index 70a5940..d6aac2c 100644
> --- a/sys/net/if_vlan.c
> +++ b/sys/net/if_vlan.c
> @@ -251,10 +251,10 @@ vlan_clone_destroy(struct ifnet *ifp)
> s = splnet();
> LIST_REMOVE(ifv, ifv_list);
> vlan_unconfig(ifp);
> - splx(s);
>
> if_detach(ifp);
> free(ifv, M_DEVBUF);
> + splx(s);
>
> return (0);
> }
>
> I'm not sure if this fix is correct.
At first glance, I think the splx(s) needs to be between if_detach()
and free().
if_detach() needs to be called at splnet() but free() doesn't.
--
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
NetBSD: 26 ans d'experience feront toujours la difference
--
Home |
Main Index |
Thread Index |
Old Index