From owner-svn-src-head@FreeBSD.ORG  Sun Jun  3 11:52:17 2012
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AAF0E106566B;
	Sun,  3 Jun 2012 11:52:17 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90])
	by mx1.freebsd.org (Postfix) with ESMTP id 2714E8FC15;
	Sun,  3 Jun 2012 11:52:17 +0000 (UTC)
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587])
	(using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.sbone.de (Postfix) with ESMTPS id C449F25D3A9B;
	Sun,  3 Jun 2012 11:52:15 +0000 (UTC)
Received: from content-filter.sbone.de (content-filter.sbone.de
	[IPv6:fde9:577b:c1a9:31::2013:2742])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPS id DE2FFBE7517;
	Sun,  3 Jun 2012 11:52:14 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587])
	by content-filter.sbone.de (content-filter.sbone.de
	[fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024)
	with ESMTP id 4OQOWj-RNF8s; Sun,  3 Jun 2012 11:52:13 +0000 (UTC)
Received: from orange-en1.sbone.de (orange-en1.sbone.de
	[IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPSA id 7B804BE7518;
	Sun,  3 Jun 2012 11:52:13 +0000 (UTC)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
In-Reply-To: <201206030736.q537axiD042645@svn.freebsd.org>
Date: Sun, 3 Jun 2012 11:52:11 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <930B5C42-C9B7-49BD-A610-AAD7FEAC1BD9@FreeBSD.org>
References: <201206030736.q537axiD042645@svn.freebsd.org>
To: Maksim Yevmenkin <emax@FreeBSD.org>,
 Scott Long <scottl@FreeBSD.org>
X-Mailer: Apple Mail (2.1084)
Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org,
	src-committers@freebsd.org
Subject: Re: svn commit: r236501 - head/sys/netinet6
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
	<svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Jun 2012 11:52:17 -0000


On 3. Jun 2012, at 07:36 , Maksim Yevmenkin wrote:

> Author: emax
> Date: Sun Jun  3 07:36:59 2012
> New Revision: 236501
> URL: http://svn.freebsd.org/changeset/base/236501
>=20
> Log:
>  Plug reference leak.
>=20
>  Interface routes are refcounted as packets move through the stack,
>  and there's garbage collection tied to it so that route changes can
>  safely propagate while traffic is flowing. In our setup, we weren't
>  changing or deleting any routes, but the refcounting logic in
>  ip6_input() was wrong and caused a reference leak on every inbound
>  V6 packet. This eventually caused a 32bit overflow, and the resulting
>  0 value caused the garbage collection to run on the active route.
>  That then snowballed into the panic.

Global s/route/address/ above.  Awesome you found this.  I have =
certainly
read the code several times lately incl. having done the initial review
and always missed it.

I'll try to get around reviewing the other two you put in my inbox.

Great job and finally someone doing 1<<32 packet IPv6 one uptime.
Been waiting for that to happen for a long time:-)

/bz

>=20
>  Reviewed by:	scottl
>  MFC after:	3 days
>=20
> Modified:
>  head/sys/netinet6/ip6_input.c
>=20
> Modified: head/sys/netinet6/ip6_input.c
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
> --- head/sys/netinet6/ip6_input.c	Sun Jun  3 06:57:47 2012	=
(r236500)
> +++ head/sys/netinet6/ip6_input.c	Sun Jun  3 07:36:59 2012	=
(r236501)
> @@ -879,19 +879,23 @@ passin:
> 	 * as our interface address (e.g. multicast addresses, addresses
> 	 * within FAITH prefixes and such).
> 	 */
> -	if (deliverifp && !ip6_getdstifaddr(m)) {
> +	if (deliverifp) {
> 		struct in6_ifaddr *ia6;
>=20
> -		ia6 =3D in6_ifawithifp(deliverifp, &ip6->ip6_dst);
> -		if (ia6) {
> -			if (!ip6_setdstifaddr(m, ia6)) {
> -				/*
> -				 * XXX maybe we should drop the packet =
here,
> -				 * as we could not provide enough =
information
> -				 * to the upper layers.
> -				 */
> -			}
> + 		if ((ia6 =3D ip6_getdstifaddr(m)) !=3D NULL) {
> 			ifa_free(&ia6->ia_ifa);
> +		} else {
> +			ia6 =3D in6_ifawithifp(deliverifp, =
&ip6->ip6_dst);
> +			if (ia6) {
> +				if (!ip6_setdstifaddr(m, ia6)) {
> +					/*
> +					 * XXX maybe we should drop the =
packet here,
> +					 * as we could not provide =
enough information
> +					 * to the upper layers.
> +					 */
> +				}
> +				ifa_free(&ia6->ia_ifa);
> +			}
> 		}
> 	}
>=20

--=20
Bjoern A. Zeeb                                 You have to have visions!
   It does not matter how good you are. It matters what good you do!