LLE reference leak in the L2 cache
Andrey V. Elsukov
bu7cher at yandex.ru
Tue Mar 14 06:49:18 UTC 2017
Hi All,
Eugene has reported about the following assertion in the ARP code:
http://www.grosbein.net/freebsd/crash/arp-kassert.txt
After some investigation I found that L2 cache has reference leak, that
can lead to integer overflow and this assertion.
The one of the ways to reproduce this overflow can be demonstrated with
simple IP forwarding, when ip_forward() is used (not ip_tryforward).
I asked olivier@ to reproduce this leak and he got this result:
http://slexy.org/view/s21ql7nA0q
After further investigation I found similar leak in the IPv6 TCP path.
Simple iperf test shows these results:
# dtrace -n 'fbt::in6_lltable_dump_entry:entry {printf("%d",
args[1]->lle_refcnt);}'
dtrace: description 'fbt::in6_lltable_dump_entry:entry ' matched 1 probe
CPU ID FUNCTION:NAME
51 18589 in6_lltable_dump_entry:entry 55721
51 18589 in6_lltable_dump_entry:entry 1
51 18589 in6_lltable_dump_entry:entry 1
51 18589 in6_lltable_dump_entry:entry 2
38 18589 in6_lltable_dump_entry:entry 111417
38 18589 in6_lltable_dump_entry:entry 1
38 18589 in6_lltable_dump_entry:entry 1
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170314/cc5ba95c/attachment.sig>
More information about the freebsd-net
mailing list