svn commit: r206481 - in head/sys: net netinet netinet6
Bjoern A. Zeeb
bz at FreeBSD.org
Sun Apr 11 16:04:09 UTC 2010
Author: bz
Date: Sun Apr 11 16:04:08 2010
New Revision: 206481
URL: http://svn.freebsd.org/changeset/base/206481
Log:
Plug reference leaks in the link-layer code ("new-arp") that previously
prevented the link-layer entry from being freed.
In both in.c and in6.c (though that code path seems to be basically dead)
plug a reference leak in case of a pending callout being drained.
In if_ether.c consistently add a reference before resetting the callout
and in case we canceled a pending one remove the reference for that.
In the final case in arptimer, before freeing the expired entry, remove
the reference again and explicitly call callout_stop() to clear the active
flag.
In nd6.c:nd6_free() we are only ever called from the callout function and
thus need to remove the reference there as well before calling into
llentry_free().
In if_llatbl.c when freeing entire tables make sure that in case we cancel
a pending callout to remove the reference as well.
Reviewed by: qingli (earlier version)
MFC after: 10 days
Problem observed, patch tested by: simon on ipv6gw.f.o,
Christian Kratzer (ck cksoft.de),
Evgenii Davidov (dado korolev-net.ru)
PR: kern/144564
Configurations still affected: with options FLOWTABLE
Modified:
head/sys/net/if_llatbl.c
head/sys/netinet/if_ether.c
head/sys/netinet/in.c
head/sys/netinet6/in6.c
head/sys/netinet6/nd6.c
Modified: head/sys/net/if_llatbl.c
==============================================================================
--- head/sys/net/if_llatbl.c Sun Apr 11 15:35:17 2010 (r206480)
+++ head/sys/net/if_llatbl.c Sun Apr 11 16:04:08 2010 (r206481)
@@ -170,9 +170,12 @@ lltable_free(struct lltable *llt)
for (i=0; i < LLTBL_HASHTBL_SIZE; i++) {
LIST_FOREACH_SAFE(lle, &llt->lle_head[i], lle_next, next) {
+ int canceled;
- callout_drain(&lle->la_timer);
+ canceled = callout_drain(&lle->la_timer);
LLE_WLOCK(lle);
+ if (canceled)
+ LLE_REMREF(lle);
llentry_free(lle);
}
}
Modified: head/sys/netinet/if_ether.c
==============================================================================
--- head/sys/netinet/if_ether.c Sun Apr 11 15:35:17 2010 (r206480)
+++ head/sys/netinet/if_ether.c Sun Apr 11 16:04:08 2010 (r206481)
@@ -180,6 +180,8 @@ arptimer(void *arg)
else {
if (!callout_pending(&lle->la_timer) &&
callout_active(&lle->la_timer)) {
+ callout_stop(&lle->la_timer);
+ LLE_REMREF(lle);
(void) llentry_free(lle);
ARPSTAT_INC(timeouts);
}
@@ -382,9 +384,14 @@ retry:
EHOSTUNREACH : EHOSTDOWN;
if (renew) {
+ int canceled;
+
LLE_ADDREF(la);
la->la_expire = time_second + V_arpt_down;
- callout_reset(&la->la_timer, hz * V_arpt_down, arptimer, la);
+ canceled = callout_reset(&la->la_timer, hz * V_arpt_down,
+ arptimer, la);
+ if (canceled)
+ LLE_REMREF(la);
la->la_asked++;
LLE_WUNLOCK(la);
arprequest(ifp, NULL, &SIN(dst)->sin_addr,
@@ -696,9 +703,14 @@ match:
EVENTHANDLER_INVOKE(arp_update_event, la);
if (!(la->la_flags & LLE_STATIC)) {
+ int canceled;
+
+ LLE_ADDREF(la);
la->la_expire = time_second + V_arpt_keep;
- callout_reset(&la->la_timer, hz * V_arpt_keep,
- arptimer, la);
+ canceled = callout_reset(&la->la_timer,
+ hz * V_arpt_keep, arptimer, la);
+ if (canceled)
+ LLE_REMREF(la);
}
la->la_asked = 0;
la->la_preempt = V_arp_maxtries;
Modified: head/sys/netinet/in.c
==============================================================================
--- head/sys/netinet/in.c Sun Apr 11 15:35:17 2010 (r206480)
+++ head/sys/netinet/in.c Sun Apr 11 16:04:08 2010 (r206481)
@@ -1357,8 +1357,12 @@ in_lltable_prefix_free(struct lltable *l
if (IN_ARE_MASKED_ADDR_EQUAL((struct sockaddr_in *)L3_ADDR(lle),
pfx, msk)) {
- callout_drain(&lle->la_timer);
+ int canceled;
+
+ canceled = callout_drain(&lle->la_timer);
LLE_WLOCK(lle);
+ if (canceled)
+ LLE_REMREF(lle);
llentry_free(lle);
}
}
Modified: head/sys/netinet6/in6.c
==============================================================================
--- head/sys/netinet6/in6.c Sun Apr 11 15:35:17 2010 (r206480)
+++ head/sys/netinet6/in6.c Sun Apr 11 16:04:08 2010 (r206481)
@@ -2344,8 +2344,12 @@ in6_lltable_prefix_free(struct lltable *
&((struct sockaddr_in6 *)L3_ADDR(lle))->sin6_addr,
&pfx->sin6_addr,
&msk->sin6_addr)) {
- callout_drain(&lle->la_timer);
+ int canceled;
+
+ canceled = callout_drain(&lle->la_timer);
LLE_WLOCK(lle);
+ if (canceled)
+ LLE_REMREF(lle);
llentry_free(lle);
}
}
Modified: head/sys/netinet6/nd6.c
==============================================================================
--- head/sys/netinet6/nd6.c Sun Apr 11 15:35:17 2010 (r206480)
+++ head/sys/netinet6/nd6.c Sun Apr 11 16:04:08 2010 (r206481)
@@ -1125,6 +1125,7 @@ nd6_free(struct llentry *ln, int gc)
ifp = ln->lle_tbl->llt_ifp;
IF_AFDATA_LOCK(ifp);
LLE_WLOCK(ln);
+ LLE_REMREF(ln);
llentry_free(ln);
IF_AFDATA_UNLOCK(ifp);
More information about the svn-src-all
mailing list