From owner-svn-src-stable-9@FreeBSD.ORG Tue Jun 5 11:26:44 2012 Return-Path: Delivered-To: svn-src-stable-9@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA616106566C; Tue, 5 Jun 2012 11:26:44 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 946178FC14; Tue, 5 Jun 2012 11:26:44 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q55BQiER016498; Tue, 5 Jun 2012 11:26:44 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q55BQiqk016496; Tue, 5 Jun 2012 11:26:44 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <201206051126.q55BQiqk016496@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Tue, 5 Jun 2012 11:26:44 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r236608 - stable/9/sys/netinet6 X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2012 11:26:44 -0000 Author: bz Date: Tue Jun 5 11:26:43 2012 New Revision: 236608 URL: http://svn.freebsd.org/changeset/base/236608 Log: MFC r236501 (by emax): Plug reference leak. Interface addresses are refcounted as packets move through the stack, and there's garbage collection tied to it so that address changes can safely propagate while traffic is flowing. In our setup, we weren't changing or deleting any addresses, but the refcounting logic in ip6_input() was wrong and caused a reference leak on every inbound V6 packet. This eventually caused a 32bit overflow, and the resulting 0 value caused the garbage collection to run on the active address. That then snowballed into the panic. Modified: stable/9/sys/netinet6/ip6_input.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netinet6/ip6_input.c ============================================================================== --- stable/9/sys/netinet6/ip6_input.c Tue Jun 5 11:24:05 2012 (r236607) +++ stable/9/sys/netinet6/ip6_input.c Tue Jun 5 11:26:43 2012 (r236608) @@ -797,19 +797,23 @@ passin: * as our interface address (e.g. multicast addresses, addresses * within FAITH prefixes and such). */ - if (deliverifp && !ip6_getdstifaddr(m)) { + if (deliverifp) { struct in6_ifaddr *ia6; - ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); - if (ia6) { - if (!ip6_setdstifaddr(m, ia6)) { - /* - * XXX maybe we should drop the packet here, - * as we could not provide enough information - * to the upper layers. - */ - } + if ((ia6 = ip6_getdstifaddr(m)) != NULL) { ifa_free(&ia6->ia_ifa); + } else { + ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); + if (ia6) { + if (!ip6_setdstifaddr(m, ia6)) { + /* + * XXX maybe we should drop the packet here, + * as we could not provide enough information + * to the upper layers. + */ + } + ifa_free(&ia6->ia_ifa); + } } }