DragonFlyBSD Kernel Audit
← dashboard
DF-0557

Callout UAF race on hook disconnect/node shutdown: callout_stop doesnt drain ticker

Summary

nglmi_disconnect(:1091): callout_stop(&sc->timeout) then ng_rmnode(:1094) -> nglmi_rmnode(:1063) sets node->private=NULL ng_unref kfree(sc)(:1072) WITHOUT draining callout. DragonFly callout_stop doesnt guarantee handler(LMI_ticker:273) finished on other CPU. crit_enter/exit inside ticker(:277/:291) doesnt serialize against free. Ticker mid-execution or about to fire -> derefs freed sc->flags/sc->lmi_channel/sc->dlci_state. Local privileged user disconnects LMI hook races 10Hz/3Hz ticker. Fix: callout_stop_sync in disconnect AND rmnode before kfree.