Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Feb 2021 12:40:52 -0500
From:      Ryan Stone <rysto32@gmail.com>
To:        freebsd-net <freebsd-net@freebsd.org>
Cc:        "Alexander V. Chernikov" <melifaro@freebsd.org>
Subject:   ifaddr reference count leaks that seem to be related to routing code
Message-ID:  <CAFMmRNyi3bXmJd%2BHrMAOSuB2cm%2B5ZtC5jaj3jLiHs0RVMBegZA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 

On main I'm seeing leaks of ifaddr reference counts.  I can reproduce
this in a bhyve VM by repeating this:

       vlan=`ifconfig vlan create vlandev vtnet0 vlan 777`
       ifconfig $vlan up
       ifconfig $vlan 1.0.0.1/24
       ifconfig $vlan destroy

If I watch the ifaddr column of vmstat -m while I repeat this, I see
it increasing by one every time.  Poking around with dtrace confirms
that it's an AF_INET address that's getting leaked.  Looking at the
calls to ifa_ref and ifa_free, the routing code looks suspicious.  I
see that the route add path takes one reference here:

https://cgit.freebsd.org/src/tree/sys/net/route/route_ctl.c#n588

              kernel`rib_add_route+0x11e
              kernel`rib_handle_ifaddr_info+0xd7
              kernel`in_handle_ifaddr_route+0x1cd
              kernel`in_addprefix+0x18b
              kernel`in_control+0xada
              kernel`ifioctl+0x3d8
              kernel`kern_ioctl+0x289
              kernel`sys_ioctl+0x12a
              kernel`amd64_syscall+0x12e
              kernel`0xffffffff8108b9be

(for me directly in the else case, or rt_getifa_fib() will take one on
the ifa it grabs)

I see a second reference taken in the nhop code:
              kernel`get_nhop+0xd8
              kernel`nhop_create_from_info+0x1df
              kernel`rib_add_route+0x12e
              kernel`rib_handle_ifaddr_info+0xd7
              kernel`in_handle_ifaddr_route+0x1cd
              kernel`in_addprefix+0x18b
              kernel`in_control+0xada
              kernel`ifioctl+0x3d8
              kernel`kern_ioctl+0x289
              kernel`sys_ioctl+0x12a
              kernel`amd64_syscall+0x12e
              kernel`0xffffffff8108b9be

But I only see one reference released when the nhop is cleaned up:
              kernel`destroy_nhop_epoch+0x2d
              kernel`epoch_call_task+0x13a
              kernel`gtaskqueue_run_locked+0xa7
              kernel`gtaskqueue_thread_loop+0x94
              kernel`fork_exit+0x80
              kernel`0xffffffff8108c11e

It looks to me like we can either lose the ifa_ref() from
create_rtentry entirely (if the route add code runs within the
net_epoch), or we need to release that reference before returning from
rib_add_route().  Can somebody take a look at this and confirm my
findings?  Thanks

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFMmRNyi3bXmJd%2BHrMAOSuB2cm%2B5ZtC5jaj3jLiHs0RVMBegZA>