Bug 242270 - Network stack leaks ifnet references when creating VLAN
Summary: Network stack leaks ifnet references when creating VLAN
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-net mailing list
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2019-11-27 18:35 UTC by Andrew Boyer
Modified: 2019-11-28 10:15 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Boyer 2019-11-27 18:35:23 UTC
When a VLAN is created on a struct ifnet, one extra leaked reference is added on the ifnet. This reference is never removed and results in a leak of the ifnet once it is forgotten by the network stack.
Roughly:
 * if_clone_create() -> vlan_clone_match() -> vlan_clone_match_ethervid() takes a ref (1)
 * if_clone_createif() -> vlan_clone_create() -> vlan_clone_match_ethervid() takes a ref (2)
 * if_clone_createif() -> vlan_clone_create() -> vlan_config() takes a ref (3)
 * if_clone_createif() -> vlan_clone_create() drops a ref (3)
 * One ref is dropped when the VLAN is destroyed (2)
 * Ref (1) is leaked
The first pass, if_clone_create(), is just to verify that an ifp named "foo0" is present in the system. When if_clone_createif() goes back for the second pass, it does the check again and errors out cleanly if the name is not present. The refcounting was added to this code after it had been in the kernel for years; prior to the refcounting, it would have been necessary for the second pass to re-confirm that the port exists.
To me, it seems clear that the first pass was not intended to return with a reference held. It doesn't return an ifp pointer or anything - just '1' to indicate that the named interface exists. It would be a much larger redesign to combine everything into one pass. Instead we should just fix the reference leak.

(This might only affect foo0.N style VLANs)

This is a fix:
--- a/sys/net/if_vlan.c
+++ b/sys/net/if_vlan.c
@@ -957,10 +957,14 @@ vlan_clone_match_ethervid(const char *name, int *vidp)
 static int
 vlan_clone_match(struct if_clone *ifc, const char *name)
 {
+       struct ifnet *ifp;
        const char *cp;
 
-       if (vlan_clone_match_ethervid(name, NULL) != NULL)
+       ifp = vlan_clone_match_ethervid(name, NULL);
+       if (ifp != NULL) {
+               if_rele(ifp);
                return (1);
+       }
 
        if (strncmp(vlanname, name, strlen(vlanname)) != 0)
                return (0);