ifaddr reference count leaks that seem to be related to routing code
Ryan Stone
rysto32 at gmail.com
Fri Feb 12 21:48:26 UTC 2021
On Fri, Feb 12, 2021 at 4:14 PM Alexander V. Chernikov
<melifaro at freebsd.org> wrote:
> The slightly different approach here: https://reviews.freebsd.org/D28629
> We indeed are running under epoch, so that prevents _immediate_ ifa destruction.
> However, we still can run into the situation when
> * in thread 1 we drop to 0 refcount for ifa and schedule its deletion.
> * in thread 2 we use this ifa and reference it
> * destroy callout kicks in
> * unhappy user reports bug
> The current approach minimises this possibility by taking an ifa refcount early.
> More general approach would probably be in introducing `ifa_try_ref()` based on refcount_acquire_if_not_zero() but that's something that needs a bit more effort.
Oops, you're completely correct. Do you think that we should put a
KASSERT in ifa_ref() that ifa_refcnt > 0 to catch such a bug if
somebody ever manages to introduce one? Of course it would not fire
except in the case where we already lost the race, but at least it
would make it easier to debug.
More information about the freebsd-net
mailing list