kern/129793: Locking related leaks in the kernel (routing handling)
Dheeraj Reddy
dheeraj at ece.gatech.edu
Sat Dec 20 13:00:11 PST 2008
>Number: 129793
>Category: kern
>Synopsis: Locking related leaks in the kernel (routing handling)
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 20 21:00:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Dheeraj Reddy
>Release: FreeBSD-current
>Organization:
Intel
>Environment:
/var/log % uname -a
FreeBSD vagisha.sudheeraj.net 8.0-CURRENT FreeBSD 8.0-CURRENT #1 r186333M: Sat Dec 20 12:22:11 PST 2008 dheeraj at vagisha.sudheeraj.net:/usr/src/sys/i386/compile/VAGISHA-CURRENT i386
>Description:
I have a gif tunnel setup to hurricane electric.
When I have ipv6 traffic, I get the following kernel messages
Dec 20 00:15:42 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 00:16:18 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 01:03:14 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 01:04:27 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 03:01:01 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 08:34:35 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
netstat -rAn shows that 0xC22e0958 is he default route for ipv6 traffic via gif0
c22e0958 fe80::%gif0/64 link#6 U gif0 mask (255) ffff ffff ffff ffff ffff ffff ffff
>How-To-Repeat:
Setup a gif tunnel to a tunnelbroker and just send some icmp traffic over the ipv6 network.
>Fix:
Patch attached.
rtalloc1 returns a locked route entry.. so we should use RTFREE_LOCKED instead of rtfree.
Patch attached with submission follows:
Index: netinet6/in6_ifattach.c
===================================================================
--- netinet6/in6_ifattach.c (revision 186333)
+++ netinet6/in6_ifattach.c (working copy)
@@ -778,7 +778,7 @@
if ((ia->ia_flags & IFA_ROUTE) &&
(rt = rtalloc1((struct sockaddr *)&ia->ia_addr, 0, 0UL))) {
rtflags = rt->rt_flags;
- rtfree(rt);
+ RTFREE_LOCKED(rt);
rtrequest(RTM_DELETE, (struct sockaddr *)&ia->ia_addr,
(struct sockaddr *)&ia->ia_addr,
(struct sockaddr *)&ia->ia_prefixmask,
Index: netinet6/nd6_nbr.c
===================================================================
--- netinet6/nd6_nbr.c (revision 186333)
+++ netinet6/nd6_nbr.c (working copy)
@@ -259,7 +259,7 @@
need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
rt->rt_gateway->sa_family == AF_LINK);
if (rt)
- rtfree(rt);
+ RTFREE_LOCKED(rt);
if (need_proxy) {
/*
* proxy NDP for single entry
Index: netinet6/in6.c
===================================================================
--- netinet6/in6.c (revision 186333)
+++ netinet6/in6.c (working copy)
@@ -2141,16 +2141,16 @@
ifa = ifaof_ifpforaddr(__DECONST(struct sockaddr *, l3addr), ifp);
if (ifa != NULL) {
if (rt != NULL)
- rtfree(rt);
+ RTFREE_LOCKED(rt);
return 0;
}
log(LOG_INFO, "IPv6 address: \"%s\" is not on the network\n",
ip6_sprintf(ip6buf, &((const struct sockaddr_in6 *)l3addr)->sin6_addr));
if (rt != NULL)
- rtfree(rt);
+ RTFREE_LOCKED(rt);
return EINVAL;
}
- rtfree(rt);
+ RTFREE_LOCKED(rt);
return 0;
}
Index: netinet6/in6_gif.c
===================================================================
--- netinet6/in6_gif.c (revision 186333)
+++ netinet6/in6_gif.c (working copy)
@@ -375,10 +375,10 @@
ip6_sprintf(ip6buf, &sin6.sin6_addr));
#endif
if (rt)
- rtfree(rt);
+ RTFREE_LOCKED(rt);
return 0;
}
- rtfree(rt);
+ RTFREE_LOCKED(rt);
}
return 128 * 2;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list