Date: Tue, 14 Mar 2017 09:47:26 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: freebsd-net@FreeBSD.org Cc: karels@FreeBSD.org, Gleb Smirnoff <glebius@freebsd.org>, "Alexander V. Chernikov" <melifaro@freebsd.org>, Eugene Grosbein <eugen@freebsd.org> Subject: LLE reference leak in the L2 cache Message-ID: <18d77ab0-f818-d711-196b-69f10877ae80@yandex.ru>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DEwgobWd8HKAgpMCTOmVOK9pkniXm5OqQ Content-Type: multipart/mixed; boundary="VnkTXflJDPuHX0HLEcPSAMnV7aq91LhH8"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: freebsd-net@FreeBSD.org Cc: karels@FreeBSD.org, Gleb Smirnoff <glebius@freebsd.org>, "Alexander V. Chernikov" <melifaro@freebsd.org>, Eugene Grosbein <eugen@freebsd.org> Message-ID: <18d77ab0-f818-d711-196b-69f10877ae80@yandex.ru> Subject: LLE reference leak in the L2 cache --VnkTXflJDPuHX0HLEcPSAMnV7aq91LhH8 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi All, Eugene has reported about the following assertion in the ARP code: http://www.grosbein.net/freebsd/crash/arp-kassert.txt After some investigation I found that L2 cache has reference leak, that can lead to integer overflow and this assertion. The one of the ways to reproduce this overflow can be demonstrated with simple IP forwarding, when ip_forward() is used (not ip_tryforward). I asked olivier@ to reproduce this leak and he got this result: http://slexy.org/view/s21ql7nA0q After further investigation I found similar leak in the IPv6 TCP path. Simple iperf test shows these results: # dtrace -n 'fbt::in6_lltable_dump_entry:entry {printf("%d", args[1]->lle_refcnt);}' dtrace: description 'fbt::in6_lltable_dump_entry:entry ' matched 1 probe CPU ID FUNCTION:NAME 51 18589 in6_lltable_dump_entry:entry 55721 51 18589 in6_lltable_dump_entry:entry 1 51 18589 in6_lltable_dump_entry:entry 1 51 18589 in6_lltable_dump_entry:entry 2 38 18589 in6_lltable_dump_entry:entry 111417 38 18589 in6_lltable_dump_entry:entry 1 38 18589 in6_lltable_dump_entry:entry 1 --=20 WBR, Andrey V. Elsukov --VnkTXflJDPuHX0HLEcPSAMnV7aq91LhH8-- --DEwgobWd8HKAgpMCTOmVOK9pkniXm5OqQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAljHkf4ACgkQAcXqBBDI oXq1LQgAs+i77XAiGKhVMUVVlAm/gbPKNHPRpohB2IowX/6cRJEk5d657u/RVOBo WyMhDcJSjxaMf1V2IVXii0tnly1do8rWd3oNTGauu2qhyLnJAFGhzhSyPcuoov+O MjS8oEqstG7XUJtHbPy7/S4PSxSqonAVygn9GXbyom4Wropfm2FFN/6SLjpRNrc/ B3I7I6nhL2tS4TOGRFY0tSlrn6JKanNcaaNvQX6NdrAGu3Wg4RKrzf0v9x4M6G6N vqztqEaQLakWwNAWeMyxSY5Gu9l+vdGarI2rX8HR8347OAelezLf/MqU/3B99BSB L47u1FZC977BwZVQQHB+y+fd6m46YA== =bqA9 -----END PGP SIGNATURE----- --DEwgobWd8HKAgpMCTOmVOK9pkniXm5OqQ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18d77ab0-f818-d711-196b-69f10877ae80>