LLE reference leak in the L2 cache

Tue Mar 14 06:49:18 UTC 2017

Hi All,

Eugene has reported about the following assertion in the ARP code:
	http://www.grosbein.net/freebsd/crash/arp-kassert.txt

After some investigation I found that L2 cache has reference leak, that
can lead to integer overflow and this assertion.
The one of the ways to reproduce this overflow can be demonstrated with
simple IP forwarding, when ip_forward() is used (not ip_tryforward).

I asked olivier@ to reproduce this leak and he got this result:
	http://slexy.org/view/s21ql7nA0q

After further investigation I found similar leak in the IPv6 TCP path.
Simple iperf test shows these results:

# dtrace -n 'fbt::in6_lltable_dump_entry:entry {printf("%d",
args[1]->lle_refcnt);}'
dtrace: description 'fbt::in6_lltable_dump_entry:entry ' matched 1 probe
CPU     ID                    FUNCTION:NAME
 51  18589     in6_lltable_dump_entry:entry 55721
 51  18589     in6_lltable_dump_entry:entry 1
 51  18589     in6_lltable_dump_entry:entry 1
 51  18589     in6_lltable_dump_entry:entry 2
 38  18589     in6_lltable_dump_entry:entry 111417
 38  18589     in6_lltable_dump_entry:entry 1
 38  18589     in6_lltable_dump_entry:entry 1

-- 
WBR, Andrey V. Elsukov

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170314/cc5ba95c/attachment.sig>