[Pkg-vsquare-devel] Bug#764476: vde2: Segfaults due to race condition between find_in_hash() and hash_gc()

Bas van Sisseren bas at quarantainenet.nl
Tue Oct 7 12:18:39 UTC 2014 

Package: vde2
Version: 2.3.2-4.2
Severity: important
Tags: upstream patch

Hello,

We're using the vde2-switch as network switch for several qemu-processes. Lately we
noticed a lot of segfaults from the vde2-switch process. We were able to trigger the
segfaults more often when we generate a lot of random mac-addresses on the network,
combined with a lot of traffic.

After diving into the code, I noticed that the hash_gc() method is called from the
SIGALRM signal handler, which could happen at the same time as a find_in_hash() or
find_in_hash_update() lookup. The hash_gc() can then invalidate a pointer which the
find_in_hash() or find_in_hash_update() call is still using, which causes a segfault.

By simply delaying the hash_gc() to the next find_in_hash() or find_in_hash_update()
call, it is no longer possible to have invalid pointers. The suggested patch does this
by setting the new 'delayed_hash_gc' flag.


ps. Afaics, it is now also safe to remove all qtime_csenter()/qtime_csexit() calls
    in hash.c, but I'll leave that to the author of vde2 to verify that.


Regards,

Bas van Sisseren


-- System Information:
Debian Release: jessie/sid
  APT prefers squeeze-lts
  APT policy: (500, 'squeeze-lts'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages vde2 depends on:
ii  adduser      3.113+nmu3
ii  libc6        2.19-11
ii  libpcap0.8   1.6.2-1
ii  libvde0      2.3.2-4.2
ii  libvdeplug2  2.3.2-4.2

vde2 recommends no packages.

Versions of packages vde2 suggests:
ii  qemu           2.1+dfsg-5
pn  qemu-kvm       <none>
pn  vde2-cryptcab  <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vde-2.3.2-fix-for-qtime-hash-gc-race-condition.patch
Type: text/x-diff
Size: 1689 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-vsquare-devel/attachments/20141007/2d9fcc4e/attachment.patch>

More information about the Pkg-vsquare-devel mailing list