From owner-freebsd-net@FreeBSD.ORG  Wed Jun 25 10:08:49 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 2C97DF99;
 Wed, 25 Jun 2014 10:08:49 +0000 (UTC)
Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id A04602398;
 Wed, 25 Jun 2014 10:08:47 +0000 (UTC)
Received: from cell.glebius.int.ru (localhost [127.0.0.1])
 by cell.glebius.int.ru (8.14.8/8.14.8) with ESMTP id s5PA8Z3g053604
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Wed, 25 Jun 2014 14:08:35 +0400 (MSK)
 (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by cell.glebius.int.ru (8.14.8/8.14.8/Submit) id s5PA8Z9g053603;
 Wed, 25 Jun 2014 14:08:35 +0400 (MSK)
 (envelope-from glebius@FreeBSD.org)
X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to
 glebius@FreeBSD.org using -f
Date: Wed, 25 Jun 2014 14:08:35 +0400
From: Gleb Smirnoff <glebius@FreeBSD.org>
To: Alan Somers <asomers@freebsd.org>
Subject: Re: ifaddr refcount problem
Message-ID: <20140625100835.GK28199@glebius.int.ru>
References: <53A48849.8080504@chelsio.com> <20140623085229.GQ28199@FreeBSD.org>
 <CAOtMX2hGpvhK5TkBUfXvXisu5E2zen=h6MEv_Bxecn=aKsnnnQ@mail.gmail.com>
 <20140624090847.GB28199@glebius.int.ru>
 <CAOtMX2gV+nTLs-+pFWWETLKW2Dtrtxb-Z30Dq65Fctwy4pBfPA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="SWTRyWv/ijrBap1m"
Content-Disposition: inline
In-Reply-To: <CAOtMX2gV+nTLs-+pFWWETLKW2Dtrtxb-Z30Dq65Fctwy4pBfPA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
 Navdeep Parhar <navdeep@chelsio.com>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jun 2014 10:08:49 -0000


--SWTRyWv/ijrBap1m
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

  Alan,

On Tue, Jun 24, 2014 at 08:43:40AM -0600, Alan Somers wrote:
A> That looks better.  But I think there is one more possibility for a
A> leak.  For multicast packets, IFP_TO_IA at line 263 will call
A> ifa_ref(), unless the the interface has no address assigned.  How
A> about this patch instead?  Also, not tested.

Again you are right, thanks.

The patch needs to reset have_ia_ref in the 'goto again' case.

Also, I'd suggest a tiny change to your patch so that we don't
have a broken logic reading the code as "I have ia reference,
but don't have ia".

-- 
Totus tuus, Glebius.

--SWTRyWv/ijrBap1m
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="ip_output_v4.diff"

Index: ip_output.c
===================================================================
--- ip_output.c	(revision 267536)
+++ ip_output.c	(working copy)
@@ -136,6 +136,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct
 	struct rtentry *rte;	/* cache for ro->ro_rt */
 	struct in_addr odst;
 	struct m_tag *fwd_tag = NULL;
+	int have_ia_ref;
 #ifdef IPSEC
 	int no_route_but_check_spd = 0;
 #endif
@@ -202,6 +203,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct
 	gw = dst = (struct sockaddr_in *)&ro->ro_dst;
 again:
 	ia = NULL;
+	have_ia_ref = 0;
 	/*
 	 * If there is a cached route, check that it is to the same
 	 * destination and is still up.  If not, free it and try again.
@@ -238,6 +240,7 @@ again:
 			error = ENETUNREACH;
 			goto bad;
 		}
+		have_ia_ref = 1;
 		ip->ip_dst.s_addr = INADDR_BROADCAST;
 		dst->sin_addr = ip->ip_dst;
 		ifp = ia->ia_ifp;
@@ -250,6 +253,7 @@ again:
 			error = ENETUNREACH;
 			goto bad;
 		}
+		have_ia_ref = 1;
 		ifp = ia->ia_ifp;
 		ip->ip_ttl = 1;
 		isbroadcast = in_broadcast(dst->sin_addr, ifp);
@@ -261,6 +265,8 @@ again:
 		 */
 		ifp = imo->imo_multicast_ifp;
 		IFP_TO_IA(ifp, ia);
+		if (ia)
+			have_ia_ref = 1;
 		isbroadcast = 0;	/* fool gcc */
 	} else {
 		/*
@@ -552,8 +558,11 @@ sendit:
 #endif
 			error = netisr_queue(NETISR_IP, m);
 			goto done;
-		} else
+		} else {
+			if (have_ia_ref)
+				ifa_free(&ia->ifa);
 			goto again;	/* Redo the routing table lookup. */
+		}
 	}
 
 	/* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */
@@ -582,6 +591,8 @@ sendit:
 		m->m_flags |= M_SKIP_FIREWALL;
 		m->m_flags &= ~M_IP_NEXTHOP;
 		m_tag_delete(m, fwd_tag);
+		if (have_ia_ref)
+			ifa_free(&ia->ifa);
 		goto again;
 	}
 
@@ -694,6 +705,8 @@ passout:
 done:
 	if (ro == &iproute)
 		RO_RTFREE(ro);
+	if (have_ia_ref)
+		ifa_free(&ia->ifa);
 	return (error);
 bad:
 	m_freem(m);

--SWTRyWv/ijrBap1m--