From owner-freebsd-bugs@FreeBSD.ORG  Fri Oct 24 13:55:26 2014
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 668A0A88
 for <freebsd-bugs@FreeBSD.org>; Fri, 24 Oct 2014 13:55:26 +0000 (UTC)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CE22850
 for <freebsd-bugs@FreeBSD.org>; Fri, 24 Oct 2014 13:55:26 +0000 (UTC)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s9ODtQo4092775
 for <freebsd-bugs@FreeBSD.org>; Fri, 24 Oct 2014 13:55:26 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 194577] New: mbuf packet header leakage when closing TUN devices
Date: Fri, 24 Oct 2014 13:55:26 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 9.2-STABLE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: hselasky@FreeBSD.org
X-Bugzilla-Status: Needs Triage
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-194577-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 13:55:26 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194577

            Bug ID: 194577
           Summary: mbuf packet header leakage when closing TUN devices
           Product: Base System
           Version: 9.2-STABLE
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: hselasky@FreeBSD.org

Hi,

I have a VPN client running which has automatic restarts activated. That means
the TUN device is regularly opened and closed. Every time the TUN device
closes, an mbuf header of 256 bytes is leaked. After some weeks of uptime the
system stops working.

I've added some additional code into the kernel to trace this, and the
backtrace of one of those allocations what are not freed after 60 seconds, are
as follows:

X=184
KDB: stack backtrace:
db_trace_self_wrapper(c0a38777,c0a678ac,c06c87f0,c7bd3750,a,c7bd3798,5,ffffffff,0,0,553b80,c7bd3818,c2a47440,c7bd3778,c06c824e,
c7bd3798,c7bd378c,c06c82fb,c0a678ac,c7bd3798) at
db_trace_self_wrapper+0x26/frame 0xc7bd3730
kdb_backtrace(c0a678ac,b8,20,1,c29525e0,...) at kdb_backtrace+0x2b/frame
0xc7bd378c
uma_zalloc_arg(c13e45a0,c7bd3860,1,c29525e0,c0aff0e4,...) at
uma_zalloc_arg+0x706/frame 0xc7bd37dc
mld_v2_enqueue_group_record(0,0,2,20,c2a12a60,...) at
mld_v2_enqueue_group_record+0x909/frame 0xc7bd38a8
mld_change_state(c302e200,0,0,0,2,...) at mld_change_state+0x509/frame
0xc7bd3904
in6_mc_leave_locked(c302e200,0,c2895000,c7bd394c,c0676d4a,...) at
in6_mc_leave_locked+0x2d/frame 0xc7bd3928
in6_mc_leave(c302e200,0,4,c7bd39ec,c084a1fa,...) at in6_mc_leave+0x37/frame
0xc7bd394c
in6_leavegroup(c2e163d0,c3250e90,10,4,0,...) at in6_leavegroup+0x20/frame
0xc7bd3960
in6_purgeaddr(c3250e00,0,0,c3274238,c3274200,...) at in6_purgeaddr+0xea/frame
0xc7bd39ec
if_purgeaddrs(c2a54800,2,4,c7bd3aa8,0,...) at if_purgeaddrs+0x10a/frame
0xc7bd3a58
tunclose(c3281800,7,2000,c2afc2f0,c7bd3abc,...) at tunclose+0x15f/frame
0xc7bd3a80
devfs_close(c7bd3af4,c7bd3af4,c338cd50,7,c7bd3b18,...) at
devfs_close+0x17f/frame 0xc7bd3ac4
VOP_CLOSE_APV(c0a99ce0,c7bd3af4,c0a40f74,141,c0ad08a0,...) at
VOP_CLOSE_APV+0x4a/frame 0xc7bd3adc
vn_close(c338cd50,7,c2956180,c2afc2f0,0,...) at vn_close+0x99/frame 0xc7bd3b18
vn_closefile(c314b460,c2afc2f0,c314b460,0,c2afc2f0,...) at
vn_closefile+0x53/frame 0xc7bd3b74
devfs_close_f(c314b460,c2afc2f0,3000000,0,1,...) at devfs_close_f+0x34/frame
0xc7bd3b90
_fdrop(c314b460,c2afc2f0,0,c7bd3c00,2,0,0,c2b7d2d8,4,2,c7bd3c1c,c09b22e9,c2957760,288df000,2,0,c7bd3c10,c06462a4,1f,c314b460)
a
t _fdrop+0x2d/frame 0xc7bd3bac
closef(c314b460,c2afc2f0,0,c7bd3c38,c09b1d76,...) at closef+0x5b/frame
0xc7bd3c10
kern_close(c2afc2f0,6,c7bd3c98,c09bb3b2,c0aff1c0,...) at kern_close+0x18d/frame
0xc7bd3c48
syscall(c7bd3d08) at syscall+0x535/frame 0xc7bd3cfc
Xint0x80_syscall() at Xint0x80_syscall+0x21/frame 0xc7bd3cfc
--- syscall (6, FreeBSD ELF32, sys_close), eip = 0x283c2393, esp = 0xbfbfe37c,
ebp = 0xbfbfe388 ---

X=176
KDB: stack backtrace:
db_trace_self_wrapper(c0a38777,c0a678ac,c06c87f0,d26fca30,a,d26fca78,5,ffffffff,0,0,d26fca70,c06d3f9d,c2e0ebc0,d26fca58,c06c824
e,d26fca78,d26fca6c,c06c82fb,c0a678ac,d26fca78) at
db_trace_self_wrapper+0x26/frame 0xd26fca10
kdb_backtrace(c0a678ac,b0,20,2,c2edc6d4,...) at kdb_backtrace+0x2b/frame
0xd26fca6c
uma_zalloc_arg(c13e45a0,d26fcadc,2,9d0001,0,...) at uma_zalloc_arg+0x706/frame
0xd26fcabc
m_getm2(0,a1,2,1,2,...) at m_getm2+0xc1/frame 0xd26fcaf0
m_uiotombuf(d26fcbb0,2,800,64,2,...) at m_uiotombuf+0x80/frame 0xd26fcb24
sosend_generic(c32579c0,0,d26fcbb0,0,0,...) at sosend_generic+0x2be/frame
0xd26fcb80
kern_sendit(c326d000,4,d26fcc24,0,0,...) at kern_sendit+0x185/frame 0xd26fcbe0
sendit(0,0,0,d26fcc40,1,...) at sendit+0xda/frame 0xd26fcc18
sys_sendto(c326d000,d26fcccc,c0aff0e4,c09bb3b2,c0aff1c0,...) at
sys_sendto+0x48/frame 0xd26fcc48
syscall(d26fcd08) at syscall+0x535/frame 0xd26fccfc
Xint0x80_syscall() at Xint0x80_syscall+0x21/frame 0xd26fccfc
--- syscall (133, FreeBSD ELF32, sys_sendto), eip = 0x283a148b, esp =
0xbfbfd39c, ebp = 0xbfbfd3c8 ---

X=177
KDB: stack backtrace:
db_trace_self_wrapper(c0a38777,c0a678ac,c06c87f0,d26fc9d4,a,d26fca1c,5,ffffffff,0,0,c0aff1c0,c326d000,c326d000,d26fc9fc,c06c824
e,d26fca1c,d26fca10,c06c82fb,c0a678ac,d26fca1c) at
db_trace_self_wrapper+0x26/frame 0xd26fc9b4
kdb_backtrace(c0a678ac,b1,20,1,c0695933,...) at kdb_backtrace+0x2b/frame
0xd26fca10
uma_zalloc_arg(c13e45a0,d26fca78,1,c2b06d00,0,...) at
uma_zalloc_arg+0x706/frame 0xd26fca60
sbappendaddr_locked_internal(0,0,0,c2edc680,4,...) at
sbappendaddr_locked_internal+0x49/frame 0xd26fca8c
sbappendaddr_locked(c2edc6d4,c0a3dec0,c2b06d00,0,c2b06d9c,...) at
sbappendaddr_locked+0x6c/frame 0xd26fcaac
uipc_send(c32579c0,0,c2b06d00,0,0,...) at uipc_send+0x763/frame 0xd26fcb24
sosend_generic(c32579c0,0,d26fcbb0,c2b06d00,0,...) at
sosend_generic+0x385/frame 0xd26fcb80
kern_sendit(c326d000,4,d26fcc24,0,0,...) at kern_sendit+0x185/frame 0xd26fcbe0
sendit(0,0,0,d26fcc40,1,...) at sendit+0xda/frame 0xd26fcc18
sys_sendto(c326d000,d26fcccc,c0aff0e4,c09bb3b2,c0aff1c0,...) at
sys_sendto+0x48/frame 0xd26fcc48
syscall(d26fcd08) at syscall+0x535/frame 0xd26fccfc
Xint0x80_syscall() at Xint0x80_syscall+0x21/frame 0xd26fccfc
--- syscall (133, FreeBSD ELF32, sys_sendto), eip = 0x283a148b, esp =
0xbfbfd39c, ebp = 0xbfbfd3c8 ---

X=178
KDB: stack backtrace:
db_trace_self_wrapper(c0a38777,c0a678ac,c06c87f0,d26fc9d4,a,d26fca1c,5,ffffffff,0,0,c0aff1c0,c326d000,c326d000,d26fc9fc,c06c824
e,d26fca1c,d26fca10,c06c82fb,c0a678ac,d26fca1c) at
db_trace_self_wrapper+0x26/frame 0xd26fc9b4
kdb_backtrace(c0a678ac,b2,20,1,c0695933,...) at kdb_backtrace+0x2b/frame
0xd26fca10
uma_zalloc_arg(c13e45a0,d26fca78,1,c2b03700,0,...) at
uma_zalloc_arg+0x706/frame 0xd26fca60
sbappendaddr_locked_internal(0,0,0,c2edc680,4,...) at
sbappendaddr_locked_internal+0x49/frame 0xd26fca8c
sbappendaddr_locked(c2edc6d4,c0a3dec0,c2b03700,0,c2b0379c,...) at
sbappendaddr_locked+0x6c/frame 0xd26fcaac
uipc_send(c32579c0,0,c2b03700,0,0,...) at uipc_send+0x763/frame 0xd26fcb24
sosend_generic(c32579c0,0,d26fcbb0,c2b03700,0,...) at
sosend_generic+0x385/frame 0xd26fcb80
kern_sendit(c326d000,4,d26fcc24,0,0,...) at kern_sendit+0x185/frame 0xd26fcbe0
sendit(0,0,0,d26fcc40,1,...) at sendit+0xda/frame 0xd26fcc18
sys_sendto(c326d000,d26fcccc,d26fcc98,c09bb3b2,c0aff1c0,...) at
sys_sendto+0x48/frame 0xd26fcc48
syscall(d26fcd08) at syscall+0x535/frame 0xd26fccfc
Xint0x80_syscall() at Xint0x80_syscall+0x21/frame 0xd26fccfc
--- syscall (133, FreeBSD ELF32, sys_sendto), eip = 0x283a148b, esp =
0xbfbfd58c, ebp = 0xbfbfd5b8 ---

--HPS

-- 
You are receiving this mail because:
You are the assignee for the bug.