From owner-freebsd-net@freebsd.org Tue Mar 14 06:49:18 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 17C52D0BB81 for ; Tue, 14 Mar 2017 06:49:18 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward3p.cmail.yandex.net (forward3p.cmail.yandex.net [IPv6:2a02:6b8:0:1465::13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8DB9E17AE; Tue, 14 Mar 2017 06:49:17 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp1j.mail.yandex.net (smtp1j.mail.yandex.net [95.108.130.59]) by forward3p.cmail.yandex.net (Yandex) with ESMTP id 6954921003; Tue, 14 Mar 2017 09:49:03 +0300 (MSK) Received: from smtp1j.mail.yandex.net (localhost.localdomain [127.0.0.1]) by smtp1j.mail.yandex.net (Yandex) with ESMTP id 93E853C810B7; Tue, 14 Mar 2017 09:49:00 +0300 (MSK) Received: by smtp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id O0Mv6EUhtS-mxQG5UXn; Tue, 14 Mar 2017 09:48:59 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1489474139; bh=uTZWSMrBqb3G2M0AIsdyyDoAz3BQVMf4OGu6qSot/aM=; h=To:Cc:From:Subject:Message-ID:Date; b=rzS0Xn0+A/SZtoQ/qfLj7zH9uYTPugAe/LagNnyI21CVf3d0i4BHHJV9aQfQSs+pY QUV3afsJxf/dQ+yZgg78ci869krRF+O2qd6jeURCvZF+p5fdwA6ok3A/axK6yURtfp /AFUz1UoAR3K2bwqkJ/wdfs/wPY0fzILW3orD/WI= Authentication-Results: smtp1j.mail.yandex.net; dkim=pass header.i=@yandex.ru X-Yandex-Suid-Status: 1 0,1 0,1 0,1 0,1 0 To: freebsd-net@FreeBSD.org Cc: karels@FreeBSD.org, Gleb Smirnoff , "Alexander V. Chernikov" , Eugene Grosbein From: "Andrey V. Elsukov" Subject: LLE reference leak in the L2 cache Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <18d77ab0-f818-d711-196b-69f10877ae80@yandex.ru> Date: Tue, 14 Mar 2017 09:47:26 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="DEwgobWd8HKAgpMCTOmVOK9pkniXm5OqQ" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Mar 2017 06:49:18 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DEwgobWd8HKAgpMCTOmVOK9pkniXm5OqQ Content-Type: multipart/mixed; boundary="VnkTXflJDPuHX0HLEcPSAMnV7aq91LhH8"; protected-headers="v1" From: "Andrey V. Elsukov" To: freebsd-net@FreeBSD.org Cc: karels@FreeBSD.org, Gleb Smirnoff , "Alexander V. Chernikov" , Eugene Grosbein Message-ID: <18d77ab0-f818-d711-196b-69f10877ae80@yandex.ru> Subject: LLE reference leak in the L2 cache --VnkTXflJDPuHX0HLEcPSAMnV7aq91LhH8 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi All, Eugene has reported about the following assertion in the ARP code: http://www.grosbein.net/freebsd/crash/arp-kassert.txt After some investigation I found that L2 cache has reference leak, that can lead to integer overflow and this assertion. The one of the ways to reproduce this overflow can be demonstrated with simple IP forwarding, when ip_forward() is used (not ip_tryforward). I asked olivier@ to reproduce this leak and he got this result: http://slexy.org/view/s21ql7nA0q After further investigation I found similar leak in the IPv6 TCP path. Simple iperf test shows these results: # dtrace -n 'fbt::in6_lltable_dump_entry:entry {printf("%d", args[1]->lle_refcnt);}' dtrace: description 'fbt::in6_lltable_dump_entry:entry ' matched 1 probe CPU ID FUNCTION:NAME 51 18589 in6_lltable_dump_entry:entry 55721 51 18589 in6_lltable_dump_entry:entry 1 51 18589 in6_lltable_dump_entry:entry 1 51 18589 in6_lltable_dump_entry:entry 2 38 18589 in6_lltable_dump_entry:entry 111417 38 18589 in6_lltable_dump_entry:entry 1 38 18589 in6_lltable_dump_entry:entry 1 --=20 WBR, Andrey V. Elsukov --VnkTXflJDPuHX0HLEcPSAMnV7aq91LhH8-- --DEwgobWd8HKAgpMCTOmVOK9pkniXm5OqQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAljHkf4ACgkQAcXqBBDI oXq1LQgAs+i77XAiGKhVMUVVlAm/gbPKNHPRpohB2IowX/6cRJEk5d657u/RVOBo WyMhDcJSjxaMf1V2IVXii0tnly1do8rWd3oNTGauu2qhyLnJAFGhzhSyPcuoov+O MjS8oEqstG7XUJtHbPy7/S4PSxSqonAVygn9GXbyom4Wropfm2FFN/6SLjpRNrc/ B3I7I6nhL2tS4TOGRFY0tSlrn6JKanNcaaNvQX6NdrAGu3Wg4RKrzf0v9x4M6G6N vqztqEaQLakWwNAWeMyxSY5Gu9l+vdGarI2rX8HR8347OAelezLf/MqU/3B99BSB L47u1FZC977BwZVQQHB+y+fd6m46YA== =bqA9 -----END PGP SIGNATURE----- --DEwgobWd8HKAgpMCTOmVOK9pkniXm5OqQ--