Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Jul 2012 10:56:14 +0400
From:      Andrey Zonov <andrey@zonov.org>
To:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   Re: panic: negative refcount 0xfffffe0007f1b4d4
Message-ID:  <50065E0E.50903@zonov.org>
In-Reply-To: <50048A34.10304@zonov.org>
References:  <5003EDC4.3050100@zonov.org> <50048A34.10304@zonov.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 7/17/12 1:40 AM, Andrey Zonov wrote:
> On 7/16/12 2:32 PM, Andrey Zonov wrote:
>> Hi,
>>
>> I've got about 30 machines which panic sometimes in different places but
>> with the same panic message: "negative refcount 0xfffffe0007f1b4d4".
>> They are running under 9.0-STABLE@r234600M.
>>
> [snip]
>>
>> Is this known issue?  If it is not, I've got textdumps and can send to
>> anyone who wants to help me.
>>
>> Thanks in advance.
>>
>
> So, this is the one more ifa leak.
>

It happens when "goto again" is called in ip_output(), in my case under 
IPFIREWALL_FORWARD.  I'm doing source routing with "ipfw fwd".  There 
are no leaks with this patch applied:

Index: sys/netinet/ip_output.c
===================================================================
--- sys/netinet/ip_output.c	(revision 234600)
+++ sys/netinet/ip_output.c	(working copy)
@@ -203,6 +203,8 @@ again:
  	 * The address family should also be checked in case of sharing the
  	 * cache with IPv6.
  	 */
+	if (ia != NULL)
+		ifa_free(&ia->ia_ifa);
  	rte = ro->ro_rt;
  	if (rte && ((rte->rt_flags & RTF_UP) == 0 ||
  		    rte->rt_ifp == NULL ||


I also want to propose this patch:

Index: sys/sys/refcount.h
===================================================================
--- sys/sys/refcount.h	(revision 234600)
+++ sys/sys/refcount.h	(working copy)
@@ -51,6 +51,7 @@ static __inline void
  refcount_acquire(volatile u_int *count)
  {

+	KASSERT(*count < 0xffffff00, ("refcount %p is overflowed", count));
  	atomic_add_acq_int(count, 1);	
  }


It will give better diagnostic when refcount is overflowed, instead of 
"negative refcount".

-- 
Andrey Zonov

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50065E0E.50903>