kern/129793: Locking related leaks in the kernel (routing handling)

Sat Dec 20 13:00:11 PST 2008

>Number:         129793
>Category:       kern
>Synopsis:       Locking related leaks in the kernel (routing handling)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 20 21:00:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Dheeraj Reddy
>Release:        FreeBSD-current
>Organization:
Intel
>Environment:
/var/log % uname -a
FreeBSD vagisha.sudheeraj.net 8.0-CURRENT FreeBSD 8.0-CURRENT #1 r186333M: Sat Dec 20 12:22:11 PST 2008     dheeraj at vagisha.sudheeraj.net:/usr/src/sys/i386/compile/VAGISHA-CURRENT  i386


>Description:
I have a gif tunnel setup to hurricane electric.
When I have ipv6 traffic, I get the following kernel messages

Dec 20 00:15:42 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 00:16:18 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 01:03:14 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 01:04:27 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 03:01:01 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 08:34:35 vagisha kernel: rtfree: 0xc22e0958 has 1 refs

netstat -rAn shows that 0xC22e0958 is he default route for ipv6 traffic via gif0 
c22e0958 fe80::%gif0/64                    link#6                        U        gif0          mask (255) ffff ffff ffff ffff ffff ffff ffff



>How-To-Repeat:
Setup a gif tunnel to a tunnelbroker and just send some icmp traffic over the ipv6 network.


>Fix:
Patch attached.
rtalloc1 returns a locked route entry.. so we should use RTFREE_LOCKED instead of rtfree.

Patch attached with submission follows:

Index: netinet6/in6_ifattach.c
===================================================================

--- netinet6/in6_ifattach.c	(revision 186333)
+++ netinet6/in6_ifattach.c	(working copy)
@@ -778,7 +778,7 @@
 		if ((ia->ia_flags & IFA_ROUTE) &&
 		    (rt = rtalloc1((struct sockaddr *)&ia->ia_addr, 0, 0UL))) {
 			rtflags = rt->rt_flags;
-			rtfree(rt);
+			RTFREE_LOCKED(rt);
 			rtrequest(RTM_DELETE, (struct sockaddr *)&ia->ia_addr,
 			    (struct sockaddr *)&ia->ia_addr,
 			    (struct sockaddr *)&ia->ia_prefixmask,
Index: netinet6/nd6_nbr.c
===================================================================
--- netinet6/nd6_nbr.c	(revision 186333)
+++ netinet6/nd6_nbr.c	(working copy)
@@ -259,7 +259,7 @@
 		need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
 		    rt->rt_gateway->sa_family == AF_LINK);
 		if (rt)
-			rtfree(rt);
+			RTFREE_LOCKED(rt);
 		if (need_proxy) {
 			/*
 			 * proxy NDP for single entry
Index: netinet6/in6.c
===================================================================
--- netinet6/in6.c	(revision 186333)
+++ netinet6/in6.c	(working copy)
@@ -2141,16 +2141,16 @@
 		ifa = ifaof_ifpforaddr(__DECONST(struct sockaddr *, l3addr), ifp);
 		if (ifa != NULL) {
 			if (rt != NULL)
-				rtfree(rt);
+				RTFREE_LOCKED(rt);
 			return 0;
 		}
 		log(LOG_INFO, "IPv6 address: \"%s\" is not on the network\n",
 		    ip6_sprintf(ip6buf, &((const struct sockaddr_in6 *)l3addr)->sin6_addr));
 		if (rt != NULL)
-			rtfree(rt);
+			RTFREE_LOCKED(rt);
 		return EINVAL;
 	}
-	rtfree(rt);
+	RTFREE_LOCKED(rt);
 	return 0;
 }
 
Index: netinet6/in6_gif.c
===================================================================
--- netinet6/in6_gif.c	(revision 186333)
+++ netinet6/in6_gif.c	(working copy)
@@ -375,10 +375,10 @@
 			    ip6_sprintf(ip6buf, &sin6.sin6_addr));
 #endif
 			if (rt)
-				rtfree(rt);
+				RTFREE_LOCKED(rt);
 			return 0;
 		}
-		rtfree(rt);
+		RTFREE_LOCKED(rt);
 	}
 
 	return 128 * 2;


>Release-Note:
>Audit-Trail:
>Unformatted:
