LLE reference leak in the L2 cache

Mike Karels mike at karels.net
Tue Mar 14 08:40:47 UTC 2017 

> Hi All,

> Eugene has reported about the following assertion in the ARP code:
> 	http://www.grosbein.net/freebsd/crash/arp-kassert.txt

> After some investigation I found that L2 cache has reference leak, that
> can lead to integer overflow and this assertion.
> The one of the ways to reproduce this overflow can be demonstrated with
> simple IP forwarding, when ip_forward() is used (not ip_tryforward).

> I asked olivier@ to reproduce this leak and he got this result:
> 	http://slexy.org/view/s21ql7nA0q

> After further investigation I found similar leak in the IPv6 TCP path.
> Simple iperf test shows these results:

> # dtrace -n 'fbt::in6_lltable_dump_entry:entry {printf("%d",
> args[1]->lle_refcnt);}'
> dtrace: description 'fbt::in6_lltable_dump_entry:entry ' matched 1 probe
> CPU     ID                    FUNCTION:NAME
>  51  18589     in6_lltable_dump_entry:entry 55721
>  51  18589     in6_lltable_dump_entry:entry 1
>  51  18589     in6_lltable_dump_entry:entry 1
>  51  18589     in6_lltable_dump_entry:entry 2
>  38  18589     in6_lltable_dump_entry:entry 111417
>  38  18589     in6_lltable_dump_entry:entry 1
>  38  18589     in6_lltable_dump_entry:entry 1

> --
> WBR, Andrey V. Elsukov

Thanks!  Could you try the following patch (compiles, but untested):

Index: netinet/ip_input.c
===================================================================
--- netinet/ip_input.c	(revision 315160)
+++ netinet/ip_input.c	(working copy)
@@ -60,6 +60,7 @@
 #include <net/if_types.h>
 #include <net/if_var.h>
 #include <net/if_dl.h>
+#include <net/if_llatbl.h>
 #include <net/route.h>
 #include <net/netisr.h>
 #include <net/rss_config.h>
@@ -1066,6 +1067,8 @@
 	if (error == EMSGSIZE && ro.ro_rt)
 		mtu = ro.ro_rt->rt_mtu;
 	RO_RTFREE(&ro);
+	if (ro.ro_lle)
+		LLE_FREE(ro.ro_lle);
 
 	if (error)
 		IPSTAT_INC(ips_cantforward);
Index: netinet6/ip6_forward.c
===================================================================
--- netinet6/ip6_forward.c	(revision 315160)
+++ netinet6/ip6_forward.c	(working copy)
@@ -52,6 +52,7 @@
 #include <net/if.h>
 #include <net/if_var.h>
 #include <net/netisr.h>
+#include <net/if_llatbl.h>
 #include <net/route.h>
 #include <net/pfil.h>
 
@@ -431,4 +432,6 @@
 out:
 	if (rt != NULL)
 		RTFREE(rt);
+	if (rin6.ro_lle)
+		LLE_FREE(rin6.ro_lle);
 }

Thanks,
		Mike

More information about the freebsd-net mailing list