From owner-freebsd-bugs@FreeBSD.ORG  Sat Dec 20 21:00:11 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 81B3B1065670
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 20 Dec 2008 21:00:11 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 5CCCA8FC1B
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 20 Dec 2008 21:00:11 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBKL03jS072077
	for <freebsd-bugs@freefall.freebsd.org>; Sat, 20 Dec 2008 21:00:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBKL03T2072076;
	Sat, 20 Dec 2008 21:00:03 GMT (envelope-from gnats)
Resent-Date: Sat, 20 Dec 2008 21:00:03 GMT
Resent-Message-Id: <200812202100.mBKL03T2072076@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Dheeraj Reddy <dheeraj@ece.gatech.edu>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D085F1065674
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sat, 20 Dec 2008 20:51:38 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id BE1508FC22
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sat, 20 Dec 2008 20:51:38 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id mBKKpb0P036739
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 20 Dec 2008 20:51:37 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id mBKKpbhN036738;
	Sat, 20 Dec 2008 20:51:37 GMT (envelope-from nobody)
Message-Id: <200812202051.mBKKpbhN036738@www.freebsd.org>
Date: Sat, 20 Dec 2008 20:51:37 GMT
From: Dheeraj Reddy <dheeraj@ece.gatech.edu>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/129793: Locking related leaks in the kernel (routing handling)
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Dec 2008 21:00:11 -0000


>Number:         129793
>Category:       kern
>Synopsis:       Locking related leaks in the kernel (routing handling)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 20 21:00:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Dheeraj Reddy
>Release:        FreeBSD-current
>Organization:
Intel
>Environment:
/var/log % uname -a
FreeBSD vagisha.sudheeraj.net 8.0-CURRENT FreeBSD 8.0-CURRENT #1 r186333M: Sat Dec 20 12:22:11 PST 2008     dheeraj@vagisha.sudheeraj.net:/usr/src/sys/i386/compile/VAGISHA-CURRENT  i386


>Description:
I have a gif tunnel setup to hurricane electric.
When I have ipv6 traffic, I get the following kernel messages

Dec 20 00:15:42 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 00:16:18 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 01:03:14 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 01:04:27 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 03:01:01 vagisha kernel: rtfree: 0xc22e0958 has 1 refs
Dec 20 08:34:35 vagisha kernel: rtfree: 0xc22e0958 has 1 refs

netstat -rAn shows that 0xC22e0958 is he default route for ipv6 traffic via gif0 
c22e0958 fe80::%gif0/64                    link#6                        U        gif0          mask (255) ffff ffff ffff ffff ffff ffff ffff



>How-To-Repeat:
Setup a gif tunnel to a tunnelbroker and just send some icmp traffic over the ipv6 network.


>Fix:
Patch attached.
rtalloc1 returns a locked route entry.. so we should use RTFREE_LOCKED instead of rtfree.

Patch attached with submission follows:

Index: netinet6/in6_ifattach.c
===================================================================
--- netinet6/in6_ifattach.c	(revision 186333)
+++ netinet6/in6_ifattach.c	(working copy)
@@ -778,7 +778,7 @@
 		if ((ia->ia_flags & IFA_ROUTE) &&
 		    (rt = rtalloc1((struct sockaddr *)&ia->ia_addr, 0, 0UL))) {
 			rtflags = rt->rt_flags;
-			rtfree(rt);
+			RTFREE_LOCKED(rt);
 			rtrequest(RTM_DELETE, (struct sockaddr *)&ia->ia_addr,
 			    (struct sockaddr *)&ia->ia_addr,
 			    (struct sockaddr *)&ia->ia_prefixmask,
Index: netinet6/nd6_nbr.c
===================================================================
--- netinet6/nd6_nbr.c	(revision 186333)
+++ netinet6/nd6_nbr.c	(working copy)
@@ -259,7 +259,7 @@
 		need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
 		    rt->rt_gateway->sa_family == AF_LINK);
 		if (rt)
-			rtfree(rt);
+			RTFREE_LOCKED(rt);
 		if (need_proxy) {
 			/*
 			 * proxy NDP for single entry
Index: netinet6/in6.c
===================================================================
--- netinet6/in6.c	(revision 186333)
+++ netinet6/in6.c	(working copy)
@@ -2141,16 +2141,16 @@
 		ifa = ifaof_ifpforaddr(__DECONST(struct sockaddr *, l3addr), ifp);
 		if (ifa != NULL) {
 			if (rt != NULL)
-				rtfree(rt);
+				RTFREE_LOCKED(rt);
 			return 0;
 		}
 		log(LOG_INFO, "IPv6 address: \"%s\" is not on the network\n",
 		    ip6_sprintf(ip6buf, &((const struct sockaddr_in6 *)l3addr)->sin6_addr));
 		if (rt != NULL)
-			rtfree(rt);
+			RTFREE_LOCKED(rt);
 		return EINVAL;
 	}
-	rtfree(rt);
+	RTFREE_LOCKED(rt);
 	return 0;
 }
 
Index: netinet6/in6_gif.c
===================================================================
--- netinet6/in6_gif.c	(revision 186333)
+++ netinet6/in6_gif.c	(working copy)
@@ -375,10 +375,10 @@
 			    ip6_sprintf(ip6buf, &sin6.sin6_addr));
 #endif
 			if (rt)
-				rtfree(rt);
+				RTFREE_LOCKED(rt);
 			return 0;
 		}
-		rtfree(rt);
+		RTFREE_LOCKED(rt);
 	}
 
 	return 128 * 2;


>Release-Note:
>Audit-Trail:
>Unformatted: