ifaddr reference count leaks that seem to be related to routing code
Ryan Stone
rysto32 at gmail.com
Fri Feb 12 17:41:07 UTC 2021
On main I'm seeing leaks of ifaddr reference counts. I can reproduce
this in a bhyve VM by repeating this:
vlan=`ifconfig vlan create vlandev vtnet0 vlan 777`
ifconfig $vlan up
ifconfig $vlan 1.0.0.1/24
ifconfig $vlan destroy
If I watch the ifaddr column of vmstat -m while I repeat this, I see
it increasing by one every time. Poking around with dtrace confirms
that it's an AF_INET address that's getting leaked. Looking at the
calls to ifa_ref and ifa_free, the routing code looks suspicious. I
see that the route add path takes one reference here:
https://cgit.freebsd.org/src/tree/sys/net/route/route_ctl.c#n588
kernel`rib_add_route+0x11e
kernel`rib_handle_ifaddr_info+0xd7
kernel`in_handle_ifaddr_route+0x1cd
kernel`in_addprefix+0x18b
kernel`in_control+0xada
kernel`ifioctl+0x3d8
kernel`kern_ioctl+0x289
kernel`sys_ioctl+0x12a
kernel`amd64_syscall+0x12e
kernel`0xffffffff8108b9be
(for me directly in the else case, or rt_getifa_fib() will take one on
the ifa it grabs)
I see a second reference taken in the nhop code:
kernel`get_nhop+0xd8
kernel`nhop_create_from_info+0x1df
kernel`rib_add_route+0x12e
kernel`rib_handle_ifaddr_info+0xd7
kernel`in_handle_ifaddr_route+0x1cd
kernel`in_addprefix+0x18b
kernel`in_control+0xada
kernel`ifioctl+0x3d8
kernel`kern_ioctl+0x289
kernel`sys_ioctl+0x12a
kernel`amd64_syscall+0x12e
kernel`0xffffffff8108b9be
But I only see one reference released when the nhop is cleaned up:
kernel`destroy_nhop_epoch+0x2d
kernel`epoch_call_task+0x13a
kernel`gtaskqueue_run_locked+0xa7
kernel`gtaskqueue_thread_loop+0x94
kernel`fork_exit+0x80
kernel`0xffffffff8108c11e
It looks to me like we can either lose the ifa_ref() from
create_rtentry entirely (if the route add code runs within the
net_epoch), or we need to release that reference before returning from
rib_add_route(). Can somebody take a look at this and confirm my
findings? Thanks
More information about the freebsd-net
mailing list