Bug 156283

Summary: [ip6] [patch] nd6_ns_input - rtalloc_mpath does not return a locked rtentry
Product: Base System Reporter: Ingo Flaschberger <if>
Component: kernAssignee: Andrey V. Elsukov <ae>
Status: Closed FIXED    
Severity: Affects Only Me Flags: bugmeister: mfc-stable10?
bugmeister: mfc-stable9?
bugmeister: mfc-stable8?
Priority: Normal    
Version: 8.2-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Ingo Flaschberger freebsd_committer freebsd_triage 2011-04-08 20:10:09 UTC 
Problem occurs when RADIX_MPATH is defined.

In nd6_ns_input rtalloc_mpath does not return a locked root.
Panic occurs when RTFREE_LOCKED(rt); is called at this route.

Fix: Patch attached with submission follows:
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2011-04-09 21:22:43 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s).
Comment 2 Ingo Flaschberger 2012-11-08 16:55:11 UTC 
Why is this bug not fixed in tree?
Comment 3 dfilter service freebsd_committer freebsd_triage 2013-11-11 12:49:07 UTC 
Author: ae
Date: Mon Nov 11 12:49:00 2013
New Revision: 257985
URL: http://svnweb.freebsd.org/changeset/base/257985

Log:
  Fix panic with RADIX_MPATH, when RTFREE_LOCKED() called for already
  unlocked route. Use in6_rtalloc() instead of in6_rtalloc1. This helps
  simplify the code and remove several now unused variables.
  
  PR:		156283
  MFC after:	2 weeks

Modified:
  head/sys/netinet6/nd6_nbr.c

Modified: head/sys/netinet6/nd6_nbr.c
==============================================================================
--- head/sys/netinet6/nd6_nbr.c	Mon Nov 11 12:44:54 2013	(r257984)
+++ head/sys/netinet6/nd6_nbr.c	Mon Nov 11 12:49:00 2013	(r257985)
@@ -232,41 +232,28 @@ nd6_ns_input(struct mbuf *m, int off, in
 
 	/* (2) check. */
 	if (ifa == NULL) {
-		struct rtentry *rt;
-		struct sockaddr_in6 tsin6;
-		int need_proxy;
-#ifdef RADIX_MPATH
 		struct route_in6 ro;
-#endif
+		int need_proxy;
 
-		bzero(&tsin6, sizeof tsin6);
-		tsin6.sin6_len = sizeof(struct sockaddr_in6);
-		tsin6.sin6_family = AF_INET6;
-		tsin6.sin6_addr = taddr6;
+		bzero(&ro, sizeof(ro));
+		ro.ro_dst.sin6_len = sizeof(struct sockaddr_in6);
+		ro.ro_dst.sin6_family = AF_INET6;
+		ro.ro_dst.sin6_addr = taddr6;
 
 		/* Always use the default FIB. */
 #ifdef RADIX_MPATH
-		bzero(&ro, sizeof(ro));
-		ro.ro_dst = tsin6;
 		rtalloc_mpath_fib((struct route *)&ro, RTF_ANNOUNCE,
 		    RT_DEFAULT_FIB);
-		rt = ro.ro_rt;
 #else
-		rt = in6_rtalloc1((struct sockaddr *)&tsin6, 0, 0,
-		    RT_DEFAULT_FIB);
+		in6_rtalloc(&ro, RT_DEFAULT_FIB);
 #endif
-		need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
-		    rt->rt_gateway->sa_family == AF_LINK);
-		if (rt != NULL) {
-			/*
-			 * Make a copy while we can be sure that rt_gateway
-			 * is still stable before unlocking to avoid lock
-			 * order problems.  proxydl will only be used if
-			 * proxy will be set in the next block.
-			 */
+		need_proxy = (ro.ro_rt &&
+		    (ro.ro_rt->rt_flags & RTF_ANNOUNCE) != 0 &&
+		    ro.ro_rt->rt_gateway->sa_family == AF_LINK);
+		if (ro.ro_rt != NULL) {
 			if (need_proxy)
-				proxydl = *SDL(rt->rt_gateway);
-			RTFREE_LOCKED(rt);
+				proxydl = *SDL(ro.ro_rt->rt_gateway);
+			RTFREE(ro.ro_rt);
 		}
 		if (need_proxy) {
 			/*
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 4 Andrey V. Elsukov freebsd_committer freebsd_triage 2013-11-11 12:52:39 UTC 
State Changed
From-To: open->patched

Patched in head/.
Comment 5 Andrey V. Elsukov freebsd_committer freebsd_triage 2013-11-11 12:52:39 UTC 
Responsible Changed
From-To: freebsd-net->ae

Take it.
Comment 6 commit-hook freebsd_committer freebsd_triage 2014-09-01 08:33:42 UTC 
A commit references this bug:

Author: ae
Date: Mon Sep  1 08:33:38 UTC 2014
New revision: 270923
URL: http://svnweb.freebsd.org/changeset/base/270923

Log:
  MFC r257985:
    Fix panic with RADIX_MPATH, when RTFREE_LOCKED() called for already
    unlocked route. Use in6_rtalloc() instead of in6_rtalloc1. This helps
    simplify the code and remove several now unused variables.

    PR:		156283

Changes:
_U  stable/10/
  stable/10/sys/netinet6/nd6_nbr.c
Comment 7 commit-hook freebsd_committer freebsd_triage 2014-09-01 08:34:43 UTC 
A commit references this bug:

Author: ae
Date: Mon Sep  1 08:33:52 UTC 2014
New revision: 270924
URL: http://svnweb.freebsd.org/changeset/base/270924

Log:
  MFC r257985:
    Fix panic with RADIX_MPATH, when RTFREE_LOCKED() called for already
    unlocked route. Use in6_rtalloc() instead of in6_rtalloc1. This helps
    simplify the code and remove several now unused variables.

    PR:		156283

Changes:
_U  stable/9/sys/
  stable/9/sys/netinet6/nd6_nbr.c
Comment 8 commit-hook freebsd_committer freebsd_triage 2014-09-01 09:00:45 UTC 
A commit references this bug:

Author: ae
Date: Mon Sep  1 09:00:01 UTC 2014
New revision: 270926
URL: http://svnweb.freebsd.org/changeset/base/270926

Log:
  MFC r257985:
    Fix panic with RADIX_MPATH, when RTFREE_LOCKED() called for already
    unlocked route. Use in6_rtalloc() instead of in6_rtalloc1. This helps
    simplify the code and remove several now unused variables.

    PR:		156283

Changes:
_U  stable/8/sys/
_U  stable/8/sys/netinet6/
  stable/8/sys/netinet6/nd6_nbr.c