From owner-freebsd-bugs Sun Jul 22 14:40:12 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id ACB8537B438 for ; Sun, 22 Jul 2001 14:40:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6MLe1n17645; Sun, 22 Jul 2001 14:40:01 -0700 (PDT) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A83BE37B403 for ; Sun, 22 Jul 2001 14:32:45 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6MLWjt16345; Sun, 22 Jul 2001 14:32:45 -0700 (PDT) (envelope-from nobody) Message-Id: <200107222132.f6MLWjt16345@freefall.freebsd.org> Date: Sun, 22 Jul 2001 14:32:45 -0700 (PDT) From: Richard Andrades To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/29150: Incomplete cleanup in the netgraph bridge shutdown function Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 29150 >Category: kern >Synopsis: Incomplete cleanup in the netgraph bridge shutdown function >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jul 22 14:40:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Richard Andrades >Release: RELENG_4_1_1_RELEASE (Revision 1.1.2.2) >Organization: Xebeo Communications, Inc. >Environment: FreeBSD X2.xebeo.com 4.1.1 FreeBSD 4.1.1 #11: Tue Jul 17 14:47:29 EDT 2001 richard@X2.xebeo.com:/net/scratch/richard/kern/kernel/sys/compile/GENERIC i386 >Description: When a netgraph bridge node is destroyed, the shutdown functions fails to deregister the callout function, somtimes leading to a kernel crash (it doesn't happen every time so it is hard to reproduce). It also fails to decrement the node's refcount (which was bumped by by the constructor). Usually (not always) this causes a memory leak. This one is very easy to find. >How-To-Repeat: The first BUG can be reproduced by repeatedly adding and removing netgraph bridges. Sooner or later the kernel will crash The second bug can be reproduced by adding and removing a netgraph bridge. >Fix: FILE: src/sys/netgraph/ng_bridge.c /* NOTE: This function has been renamed ng_bridge_shutdown in the */ /* current version of FreeBSD */ /* * Shutdown node */ static int ng_bridge_rmnode(node_p node) { const priv_p priv = node->private; ng_unname(node); ng_cutlinks(node); /* frees all link and host info */ KASSERT(priv->numLinks == 0 && priv->numHosts == 0, ("%s: numLinks=%d numHosts=%d", __FUNCTION__, priv->numLinks, priv->numHosts)); /* Fix to BUG #1 */ callout_stop(&priv->timer); /* If the callout is not cancelled when the node is */ /* removed, a timeout sometimes crashes the kernel. */ /* End of fix to BUG #1 */ FREE(priv->tab, M_NETGRAPH); FREE(priv, M_NETGRAPH); node->private = NULL; /* Fix to BUG #2 */ /* The refcount was incremented by 1 in the constructor. It may * have been decremented by 1 by the timeout. If not, do it now. * This must come after callout_reset. */ if(node->refs > 1) ng_unref(node); /* Extra one, to compensate for constructor action */ /* If the refcount is more than one at this point, the node */ /* is not removed and it causes a memory leak (64 bytes). */ /* End of Fix to BUG #2 */ ng_unref(node); return (0); } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message