sys/netinet6/in6_rmx.c: fix a double-free bug

Hiroki Sato hrs at allbsd.org
Fri Dec 31 15:38:33 PST 2004


Jeffrey Hsu <hsu at xxxxxxxxxxx> wrote
  in <41d1cb86$0$719$415eb37d at xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>:

hsu> I don't think it is a problem for our routing code to call rtrequest(RTM_DELETE) with
hsu> a NULL return route for the last parameter.  Are we talking about a recursive call
hsu> from rtfree() to rtfree() or from rtfree() back to rtrequest()?  A stack trace
hsu> showing the problem would help illustrate the problem for me.  Thanks.

 I can reproduce the system panic due to this double free.  Specifically,
 doing "sysctl net.inet6.ip6.rtexpire=0" and then "ping6 somewhere" will
 trigger it.  Probably Jinmei-san can explain the reason more precisely,
 but when rtq_reallyold == 0, rtfree() can be called twice from the
 rtrequest() in in6_clsroute() and somewhere else.

 Here is a stack trace when panic is occurred (I think this is not so
 useful though...)

#23 0xc03fbef4 in Debugger (msg=0xc046df3c "panic") at machine/cpufunc.h:68
#24 0xc0261848 in panic (fmt=0xc047a720 "rtfree: rn_flags 0x%x ")
    at /usr/src/sys/kern/kern_shutdown.c:618
#25 0xc02bb84f in rtfree (rt=0xc172add8) at /usr/src/sys/net/route.c:191
#26 0xc02eb111 in in6_pcbdetach (inp=0xcd81eb00)
    at /usr/src/sys/netinet6/in6_pcb.c:610
#27 0xc02f638c in udp6_detach (so=0xcd662bc0)
    at /usr/src/sys/netinet6/udp6_usrreq.c:684
#28 0xc0287c53 in netmsg_pru_detach (msg=0xcf337af8)
    at /usr/src/sys/kern/uipc_msg.c:494
#29 0xc02b9e75 in netmsg_service_loop (arg=0x0)
    at /usr/src/sys/net/netisr.c:200
#30 0xc0266aa0 in lwkt_create () at /usr/src/sys/kern/lwkt_thread.c:1260

 If you want other information on this problem, please let me know.  Thanks.

-- 
| Hiroki SATO
Attachment:
pgp00002.pgp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00002.pgp
Type: application/octet-stream
Size: 187 bytes
Desc: "Description: PGP signature"
URL: <http://lists.dragonflybsd.org/pipermail/submit/attachments/20041231/d403027d/attachment-0015.obj>


More information about the Submit mailing list