On Fri, Mar 27, 2020 at 03:16:54PM +0300, Vitaliy Makkoveev wrote:
> On Fri, Mar 27, 2020 at 10:43:52AM +0100, Martin Pieuchot wrote:
> > Do you have a backtrace for the memory corruption? Could you share it?
> Yes. Apply path below, compile and run code, and when you had see
> "pipex_session ... killed" kill this code. Screenshot attached.
> STABLE-6.[56] are affected too.
>
> ---- cut begin ----
>
> #include <sys/types.h>
> #include <sys/ioctl.h>
> #include <sys/select.h>
> #include <sys/socket.h>
> #include <sys/stat.h>
> #include <stdio.h>
> #include <err.h>
> #include <fcntl.h>
> #include <string.h>
>
> #include <arpa/inet.h>
> #include <netinet/in.h>
> #include <net/if.h>
> #include <net/pipex.h>
>
> int main(void)
> {
> int fd;
> struct pipex_session_req req;
>
> if((fd=open("/dev/pppx0", O_RDWR))<0){
> err(1, "open()");
> }
>
> memset(&req, 0, sizeof(req));
>
> req.pr_timeout_sec=0;
Sorry, this line should be "req.pr_timeout_sec=1;"
>
> req.pr_protocol=PIPEX_PROTO_L2TP;
> req.pr_local_address.ss_family=AF_INET;
> req.pr_local_address.ss_len=sizeof(struct sockaddr_in);
> req.pr_peer_address.ss_family=AF_INET;
> req.pr_peer_address.ss_len=sizeof(struct sockaddr_in);
>
> if(ioctl(fd, PIPEXASESSION, &req)<0){
> err(1, "ioctl()");
> }
>
> select(0, NULL, NULL, NULL, NULL);
>
> return 0;
> }
>
> ---- cut end ----
>
> Index: sys/net/if_pppx.c
> ===================================================================
> RCS file: /cvs/src/sys/net/if_pppx.c,v
> retrieving revision 1.77
> diff -u -p -r1.77 if_pppx.c
> --- sys/net/if_pppx.c 26 Mar 2020 16:50:46 -0000 1.77
> +++ sys/net/if_pppx.c 27 Mar 2020 12:02:33 -0000
> @@ -665,6 +665,12 @@ pppx_add_session(struct pppx_dev *pxd, s
> struct ifnet *over_ifp = NULL;
> #endif
>
> +#if 0
> + /* XXX: prevent pxi destruction by pipex_timer() */
> + if (req->pr_timeout_sec != 0)
> + return (EINVAL);
> +#endif
> +
> switch (req->pr_protocol) {
> #ifdef PIPEX_PPPOE
> case PIPEX_PROTO_PPPOE:
> @@ -706,6 +712,11 @@ pppx_add_session(struct pppx_dev *pxd, s
> pxi = pool_get(pppx_if_pl, PR_WAITOK | PR_ZERO);
> if (pxi == NULL)
> return (ENOMEM);
> +
> +#if 1
> + printf("%s: new pppx_if pipex_session %p timeout %u\n",
> + __func__, &pxi->pxi_session, req->pr_timeout_sec);
> +#endif
>
> session = &pxi->pxi_session;
> ifp = &pxi->pxi_if;
> Index: sys/net/pipex.c
> ===================================================================
> RCS file: /cvs/src/sys/net/pipex.c,v
> retrieving revision 1.109
> diff -u -p -r1.109 pipex.c
> --- sys/net/pipex.c 26 Mar 2020 16:50:46 -0000 1.109
> +++ sys/net/pipex.c 27 Mar 2020 12:02:34 -0000
> @@ -767,6 +767,10 @@ pipex_timer(void *ignored_arg)
> session->stat.idle_time++;
> if (session->stat.idle_time < session->timeout_sec)
> continue;
> +#if 1
> + printf("%s: pipex_session %p timeout\n",
> + __func__, session);
> +#endif
>
> pipex_notify_close_session(session);
> break;
> @@ -792,6 +796,10 @@ pipex_timer(void *ignored_arg)
> continue;
>
> pipex_destroy_session(session);
> +#if 1
> + printf("%s: pipex_session %p killed\n",
> + __func__, session);
> +#endif
> break;
>
> default:
