On Fri, Mar 27, 2020 at 03:16:54PM +0300, Vitaliy Makkoveev wrote: > On Fri, Mar 27, 2020 at 10:43:52AM +0100, Martin Pieuchot wrote: > > Do you have a backtrace for the memory corruption? Could you share it? > Yes. Apply path below, compile and run code, and when you had see > "pipex_session ... killed" kill this code. Screenshot attached. > STABLE-6.[56] are affected too. > > ---- cut begin ---- > > #include <sys/types.h> > #include <sys/ioctl.h> > #include <sys/select.h> > #include <sys/socket.h> > #include <sys/stat.h> > #include <stdio.h> > #include <err.h> > #include <fcntl.h> > #include <string.h> > > #include <arpa/inet.h> > #include <netinet/in.h> > #include <net/if.h> > #include <net/pipex.h> > > int main(void) > { > int fd; > struct pipex_session_req req; > > if((fd=open("/dev/pppx0", O_RDWR))<0){ > err(1, "open()"); > } > > memset(&req, 0, sizeof(req)); > > req.pr_timeout_sec=0; Sorry, this line should be "req.pr_timeout_sec=1;"
> > req.pr_protocol=PIPEX_PROTO_L2TP; > req.pr_local_address.ss_family=AF_INET; > req.pr_local_address.ss_len=sizeof(struct sockaddr_in); > req.pr_peer_address.ss_family=AF_INET; > req.pr_peer_address.ss_len=sizeof(struct sockaddr_in); > > if(ioctl(fd, PIPEXASESSION, &req)<0){ > err(1, "ioctl()"); > } > > select(0, NULL, NULL, NULL, NULL); > > return 0; > } > > ---- cut end ---- > > Index: sys/net/if_pppx.c > =================================================================== > RCS file: /cvs/src/sys/net/if_pppx.c,v > retrieving revision 1.77 > diff -u -p -r1.77 if_pppx.c > --- sys/net/if_pppx.c 26 Mar 2020 16:50:46 -0000 1.77 > +++ sys/net/if_pppx.c 27 Mar 2020 12:02:33 -0000 > @@ -665,6 +665,12 @@ pppx_add_session(struct pppx_dev *pxd, s > struct ifnet *over_ifp = NULL; > #endif > > +#if 0 > + /* XXX: prevent pxi destruction by pipex_timer() */ > + if (req->pr_timeout_sec != 0) > + return (EINVAL); > +#endif > + > switch (req->pr_protocol) { > #ifdef PIPEX_PPPOE > case PIPEX_PROTO_PPPOE: > @@ -706,6 +712,11 @@ pppx_add_session(struct pppx_dev *pxd, s > pxi = pool_get(pppx_if_pl, PR_WAITOK | PR_ZERO); > if (pxi == NULL) > return (ENOMEM); > + > +#if 1 > + printf("%s: new pppx_if pipex_session %p timeout %u\n", > + __func__, &pxi->pxi_session, req->pr_timeout_sec); > +#endif > > session = &pxi->pxi_session; > ifp = &pxi->pxi_if; > Index: sys/net/pipex.c > =================================================================== > RCS file: /cvs/src/sys/net/pipex.c,v > retrieving revision 1.109 > diff -u -p -r1.109 pipex.c > --- sys/net/pipex.c 26 Mar 2020 16:50:46 -0000 1.109 > +++ sys/net/pipex.c 27 Mar 2020 12:02:34 -0000 > @@ -767,6 +767,10 @@ pipex_timer(void *ignored_arg) > session->stat.idle_time++; > if (session->stat.idle_time < session->timeout_sec) > continue; > +#if 1 > + printf("%s: pipex_session %p timeout\n", > + __func__, session); > +#endif > > pipex_notify_close_session(session); > break; > @@ -792,6 +796,10 @@ pipex_timer(void *ignored_arg) > continue; > > pipex_destroy_session(session); > +#if 1 > + printf("%s: pipex_session %p killed\n", > + __func__, session); > +#endif > break; > > default: