From owner-svn-src-all@FreeBSD.ORG Sun Jun 3 07:36:59 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA2F81065672; Sun, 3 Jun 2012 07:36:59 +0000 (UTC) (envelope-from emax@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id C58F88FC1D; Sun, 3 Jun 2012 07:36:59 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q537axBg042647; Sun, 3 Jun 2012 07:36:59 GMT (envelope-from emax@svn.freebsd.org) Received: (from emax@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q537axiD042645; Sun, 3 Jun 2012 07:36:59 GMT (envelope-from emax@svn.freebsd.org) Message-Id: <201206030736.q537axiD042645@svn.freebsd.org> From: Maksim Yevmenkin Date: Sun, 3 Jun 2012 07:36:59 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r236501 - head/sys/netinet6 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jun 2012 07:36:59 -0000 Author: emax Date: Sun Jun 3 07:36:59 2012 New Revision: 236501 URL: http://svn.freebsd.org/changeset/base/236501 Log: Plug reference leak. Interface routes are refcounted as packets move through the stack, and there's garbage collection tied to it so that route changes can safely propagate while traffic is flowing. In our setup, we weren't changing or deleting any routes, but the refcounting logic in ip6_input() was wrong and caused a reference leak on every inbound V6 packet. This eventually caused a 32bit overflow, and the resulting 0 value caused the garbage collection to run on the active route. That then snowballed into the panic. Reviewed by: scottl MFC after: 3 days Modified: head/sys/netinet6/ip6_input.c Modified: head/sys/netinet6/ip6_input.c ============================================================================== --- head/sys/netinet6/ip6_input.c Sun Jun 3 06:57:47 2012 (r236500) +++ head/sys/netinet6/ip6_input.c Sun Jun 3 07:36:59 2012 (r236501) @@ -879,19 +879,23 @@ passin: * as our interface address (e.g. multicast addresses, addresses * within FAITH prefixes and such). */ - if (deliverifp && !ip6_getdstifaddr(m)) { + if (deliverifp) { struct in6_ifaddr *ia6; - ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); - if (ia6) { - if (!ip6_setdstifaddr(m, ia6)) { - /* - * XXX maybe we should drop the packet here, - * as we could not provide enough information - * to the upper layers. - */ - } + if ((ia6 = ip6_getdstifaddr(m)) != NULL) { ifa_free(&ia6->ia_ifa); + } else { + ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); + if (ia6) { + if (!ip6_setdstifaddr(m, ia6)) { + /* + * XXX maybe we should drop the packet here, + * as we could not provide enough information + * to the upper layers. + */ + } + ifa_free(&ia6->ia_ifa); + } } }