kern/58477: experimental wg(4) ALTQ support is probably buggy

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/58477: experimental wg(4) ALTQ support is probably buggy
From: campbell+netbsd%mumble.net@localhost
Date: Sun, 28 Jul 2024 11:25:00 +0000 (UTC)

>Number:         58477
>Category:       kern
>Synopsis:       experimental wg(4) ALTQ support is probably buggy
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jul 28 11:25:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10
>Organization:
The AltWGQ Foundation
>Environment:
>Description:
When using ALTQ, packets in-flight to a peer may be stored in the ifp->if_snd queue, not just in wg_pktq and in the peer's wgp->wgp_pending.

When destroying a peer, we need to make sure there are no more references to it by packets in-flight, in wg_purge_pending_packets.  Currently this clears wgp->wgp_pending and waits for wg_pktq, but doesn't do anything about the packets in ifp->if_snd, so using wg(4) with ALTQ may lead to use-after-free.
>How-To-Repeat:
use wg(4) with ALTQ and remove peers during traffic
>Fix:
Not sure there's any good way to drop just those packets destined to a particular peer, so it's probably easiest to just do wg_start(&wgp->wgp_sc->wg_if) to wait for all queued packets to be processed.

Prev by Date: Re: port-amd64/57948 (ramdisk-zfsroot should be built by default)
Next by Date: kern/58478: experimental wg(4) probably doesn't build with INET6-only
Previous by Thread: Re: kern/24013 (i810 Cannot allocate memory)
Next by Thread: kern/58478: experimental wg(4) probably doesn't build with INET6-only
Indexes:

Home | Main Index | Thread Index | Old Index