Date: Tue, 14 Mar 2017 03:40:38 -0500 From: Mike Karels <mike@karels.net> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: freebsd-net@FreeBSD.org, Eugene Grosbein <eugen@freebsd.org>, "Alexander V. Chernikov" <melifaro@freebsd.org>, karels@FreeBSD.org Subject: Re: LLE reference leak in the L2 cache Message-ID: <201703140840.v2E8ecH2040827@mail.karels.net> In-Reply-To: Your message of Tue, 14 Mar 2017 09:47:26 %2B0300. <18d77ab0-f818-d711-196b-69f10877ae80@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi All, > Eugene has reported about the following assertion in the ARP code: > http://www.grosbein.net/freebsd/crash/arp-kassert.txt > After some investigation I found that L2 cache has reference leak, that > can lead to integer overflow and this assertion. > The one of the ways to reproduce this overflow can be demonstrated with > simple IP forwarding, when ip_forward() is used (not ip_tryforward). > I asked olivier@ to reproduce this leak and he got this result: > http://slexy.org/view/s21ql7nA0q > After further investigation I found similar leak in the IPv6 TCP path. > Simple iperf test shows these results: > # dtrace -n 'fbt::in6_lltable_dump_entry:entry {printf("%d", > args[1]->lle_refcnt);}' > dtrace: description 'fbt::in6_lltable_dump_entry:entry ' matched 1 probe > CPU ID FUNCTION:NAME > 51 18589 in6_lltable_dump_entry:entry 55721 > 51 18589 in6_lltable_dump_entry:entry 1 > 51 18589 in6_lltable_dump_entry:entry 1 > 51 18589 in6_lltable_dump_entry:entry 2 > 38 18589 in6_lltable_dump_entry:entry 111417 > 38 18589 in6_lltable_dump_entry:entry 1 > 38 18589 in6_lltable_dump_entry:entry 1 > -- > WBR, Andrey V. Elsukov Thanks! Could you try the following patch (compiles, but untested): Index: netinet/ip_input.c =================================================================== --- netinet/ip_input.c (revision 315160) +++ netinet/ip_input.c (working copy) @@ -60,6 +60,7 @@ #include <net/if_types.h> #include <net/if_var.h> #include <net/if_dl.h> +#include <net/if_llatbl.h> #include <net/route.h> #include <net/netisr.h> #include <net/rss_config.h> @@ -1066,6 +1067,8 @@ if (error == EMSGSIZE && ro.ro_rt) mtu = ro.ro_rt->rt_mtu; RO_RTFREE(&ro); + if (ro.ro_lle) + LLE_FREE(ro.ro_lle); if (error) IPSTAT_INC(ips_cantforward); Index: netinet6/ip6_forward.c =================================================================== --- netinet6/ip6_forward.c (revision 315160) +++ netinet6/ip6_forward.c (working copy) @@ -52,6 +52,7 @@ #include <net/if.h> #include <net/if_var.h> #include <net/netisr.h> +#include <net/if_llatbl.h> #include <net/route.h> #include <net/pfil.h> @@ -431,4 +432,6 @@ out: if (rt != NULL) RTFREE(rt); + if (rin6.ro_lle) + LLE_FREE(rin6.ro_lle); } Thanks, Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201703140840.v2E8ecH2040827>