On Tue, Aug 23, 2022 at 02:47:11PM +0200, Stefan Sperling wrote: > ddb{2}> show struct ifaddr 0xffff8000004e9400 > struct ifaddr at 0xffff8000004e9400 (64 bytes) {ifa_addr = (struct sockaddr > *)0 > xdeaf0009deafbead, ifa_dstaddr = (struct sockaddr *)0x20ef1a8af1d895de, > ifa_net > mask = (struct sockaddr *)0xdeafbeaddeafbead, ifa_ifp = (struct ifnet > *)0xdeafb > eaddeafbead, ifa_list = {tqe_next = (struct ifaddr *)0xdeafbeaddeafbead, > tqe_pr > ev = 0xdeafbeaddeafbead}, ifa_flags = 0xdeafbead, ifa_refcnt = 0xdeafbead, > ifa_ > metric = 0xdeafbead}
The ifaddr has been freed. That should not happen, as ifafree() uses reference counting. But this refcount is a simple integer increment, that is not MP safe. In theory all ++ should be protected by exclusive netlock or shared netlock combiined with kernel lock. But maybe I missed a path. What are you doing with the machine? Forwarding, IPv6, Stress test? Do you have network interfaces with multiple network queues? Anyway, instead of adding kernel locks here and there, use a propper struct refcnt. The variable ifatrash is never read, it looks like a ddb debugging feature. But for debugging refcount leaks we have dt(4) now. enc and mpls are special, they have interface address as part of their sc structure. I use refcount anyway, the new panic prevents use after free. This has passed a full regres run. ok? bluhm Index: dev/dt/dt_prov_static.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/dev/dt/dt_prov_static.c,v retrieving revision 1.14 diff -u -p -r1.14 dt_prov_static.c --- dev/dt/dt_prov_static.c 28 Jun 2022 09:32:27 -0000 1.14 +++ dev/dt/dt_prov_static.c 23 Aug 2022 17:16:55 -0000 @@ -88,9 +88,10 @@ DT_STATIC_PROBE0(smr, wakeup); DT_STATIC_PROBE2(smr, thread, "uint64_t", "uint64_t"); /* - * reference counting + * reference counting, keep in sync with sys/refcnt.h */ DT_STATIC_PROBE0(refcnt, none); +DT_STATIC_PROBE3(refcnt, ifaddr, "void *", "int", "int"); DT_STATIC_PROBE3(refcnt, inpcb, "void *", "int", "int"); DT_STATIC_PROBE3(refcnt, tdb, "void *", "int", "int"); @@ -135,6 +136,7 @@ struct dt_probe *const dtps_static[] = { &_DT_STATIC_P(smr, thread), /* refcnt */ &_DT_STATIC_P(refcnt, none), + &_DT_STATIC_P(refcnt, ifaddr), &_DT_STATIC_P(refcnt, inpcb), &_DT_STATIC_P(refcnt, tdb), }; Index: net/if_enc.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_enc.c,v retrieving revision 1.78 diff -u -p -r1.78 if_enc.c --- net/if_enc.c 28 Dec 2020 14:28:50 -0000 1.78 +++ net/if_enc.c 24 Aug 2022 07:51:49 -0000 @@ -100,6 +100,7 @@ enc_clone_create(struct if_clone *ifc, i * and empty ifa of type AF_LINK for this purpose. */ if_alloc_sadl(ifp); + refcnt_init_trace(&sc->sc_ifa.ifa_refcnt, DT_REFCNT_IDX_IFADDR); sc->sc_ifa.ifa_ifp = ifp; sc->sc_ifa.ifa_addr = sdltosa(ifp->if_sadl); sc->sc_ifa.ifa_netmask = NULL; @@ -152,6 +153,10 @@ enc_clone_destroy(struct ifnet *ifp) NET_UNLOCK(); if_detach(ifp); + if (refcnt_rele(&sc->sc_ifa.ifa_refcnt) == 0) { + panic("%s: ifa refcnt has %u refs", __func__, + sc->sc_ifa.ifa_refcnt.r_refs); + } free(sc, M_DEVBUF, sizeof(*sc)); return (0); Index: net/if_mpe.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_mpe.c,v retrieving revision 1.101 diff -u -p -r1.101 if_mpe.c --- net/if_mpe.c 8 Nov 2021 04:50:54 -0000 1.101 +++ net/if_mpe.c 24 Aug 2022 07:52:22 -0000 @@ -128,6 +128,7 @@ mpe_clone_create(struct if_clone *ifc, i sc->sc_txhprio = 0; sc->sc_rxhprio = IF_HDRPRIO_PACKET; sc->sc_rdomain = 0; + refcnt_init_trace(&sc->sc_ifa.ifa_refcnt, DT_REFCNT_IDX_IFADDR); sc->sc_ifa.ifa_ifp = ifp; sc->sc_ifa.ifa_addr = sdltosa(ifp->if_sadl); sc->sc_smpls.smpls_len = sizeof(sc->sc_smpls); @@ -154,6 +155,10 @@ mpe_clone_destroy(struct ifnet *ifp) ifq_barrier(&ifp->if_snd); if_detach(ifp); + if (refcnt_rele(&sc->sc_ifa.ifa_refcnt) == 0) { + panic("%s: ifa refcnt has %u refs", __func__, + sc->sc_ifa.ifa_refcnt.r_refs); + } free(sc, M_DEVBUF, sizeof *sc); return (0); } Index: net/if_mpip.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_mpip.c,v retrieving revision 1.15 diff -u -p -r1.15 if_mpip.c --- net/if_mpip.c 26 Mar 2021 19:00:21 -0000 1.15 +++ net/if_mpip.c 24 Aug 2022 07:52:26 -0000 @@ -128,6 +128,7 @@ mpip_clone_create(struct if_clone *ifc, bpfattach(&ifp->if_bpf, ifp, DLT_LOOP, sizeof(uint32_t)); #endif + refcnt_init_trace(&sc->sc_ifa.ifa_refcnt, DT_REFCNT_IDX_IFADDR); sc->sc_ifa.ifa_ifp = ifp; sc->sc_ifa.ifa_addr = sdltosa(ifp->if_sadl); @@ -152,7 +153,10 @@ mpip_clone_destroy(struct ifnet *ifp) ifq_barrier(&ifp->if_snd); if_detach(ifp); - + if (refcnt_rele(&sc->sc_ifa.ifa_refcnt) == 0) { + panic("%s: ifa refcnt has %u refs", __func__, + sc->sc_ifa.ifa_refcnt.r_refs); + } free(sc->sc_neighbor, M_DEVBUF, sizeof(*sc->sc_neighbor)); free(sc, M_DEVBUF, sizeof(*sc)); Index: net/if_mpw.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_mpw.c,v retrieving revision 1.62 diff -u -p -r1.62 if_mpw.c --- net/if_mpw.c 26 Mar 2021 19:00:21 -0000 1.62 +++ net/if_mpw.c 24 Aug 2022 07:52:00 -0000 @@ -122,6 +122,7 @@ mpw_clone_create(struct if_clone *ifc, i sc->sc_txhprio = 0; sc->sc_rxhprio = IF_HDRPRIO_PACKET; sc->sc_rdomain = 0; + refcnt_init_trace(&sc->sc_ifa.ifa_refcnt, DT_REFCNT_IDX_IFADDR); sc->sc_ifa.ifa_ifp = ifp; sc->sc_ifa.ifa_addr = sdltosa(ifp->if_sadl); sc->sc_smpls.smpls_len = sizeof(sc->sc_smpls); @@ -149,7 +150,10 @@ mpw_clone_destroy(struct ifnet *ifp) ether_ifdetach(ifp); if_detach(ifp); - + if (refcnt_rele(&sc->sc_ifa.ifa_refcnt) == 0) { + panic("%s: ifa refcnt has %u refs", __func__, + sc->sc_ifa.ifa_refcnt.r_refs); + } free(sc->sc_neighbor, M_DEVBUF, sizeof(*sc->sc_neighbor)); free(sc, M_DEVBUF, sizeof(*sc)); Index: net/if_pppx.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_pppx.c,v retrieving revision 1.121 diff -u -p -r1.121 if_pppx.c --- net/if_pppx.c 25 Jul 2022 08:29:26 -0000 1.121 +++ net/if_pppx.c 23 Aug 2022 17:34:20 -0000 @@ -659,6 +659,7 @@ pppx_add_session(struct pppx_dev *pxd, s ifaddr.sin_addr = req->pr_ip_srcaddr; ia = malloc(sizeof (*ia), M_IFADDR, M_WAITOK | M_ZERO); + refcnt_init_trace(&ia->ia_ifa.ifa_refcnt, DT_REFCNT_IDX_IFADDR); ia->ia_addr.sin_family = AF_INET; ia->ia_addr.sin_len = sizeof(struct sockaddr_in); Index: net/if_var.h =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_var.h,v retrieving revision 1.114 diff -u -p -r1.114 if_var.h --- net/if_var.h 20 Feb 2021 04:55:52 -0000 1.114 +++ net/if_var.h 23 Aug 2022 16:25:32 -0000 @@ -242,7 +242,7 @@ struct ifaddr { struct ifnet *ifa_ifp; /* back-pointer to interface */ TAILQ_ENTRY(ifaddr) ifa_list; /* list of addresses for interface */ u_int ifa_flags; /* interface flags, see below */ - u_int ifa_refcnt; /* number of `rt_ifa` references */ + struct refcnt ifa_refcnt; /* number of `rt_ifa` references */ int ifa_metric; /* cost of going out this interface */ }; @@ -333,6 +333,7 @@ int p2p_bpf_mtap(caddr_t, const struct m struct ifaddr *ifa_ifwithaddr(struct sockaddr *, u_int); struct ifaddr *ifa_ifwithdstaddr(struct sockaddr *, u_int); struct ifaddr *ifaof_ifpforaddr(struct sockaddr *, struct ifnet *); +struct ifaddr *ifaref(struct ifaddr *); void ifafree(struct ifaddr *); int if_isconnected(const struct ifnet *, unsigned int); Index: net/route.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/route.c,v retrieving revision 1.413 diff -u -p -r1.413 route.c --- net/route.c 28 Jul 2022 22:19:09 -0000 1.413 +++ net/route.c 23 Aug 2022 16:31:29 -0000 @@ -146,7 +146,6 @@ extern unsigned int rtmap_limit; struct cpumem * rtcounters; int rttrash; /* routes not in table but not freed */ -int ifatrash; /* ifas not in ifp list but not free */ struct pool rtentry_pool; /* pool for rtentry structures */ struct pool rttimer_pool; /* pool for rttimer structures */ @@ -512,16 +511,19 @@ rtfree(struct rtentry *rt) pool_put(&rtentry_pool, rt); } +struct ifaddr * +ifaref(struct ifaddr *ifa) +{ + refcnt_take(&ifa->ifa_refcnt); + return ifa; +} + void ifafree(struct ifaddr *ifa) { - if (ifa == NULL) - panic("ifafree"); - if (ifa->ifa_refcnt == 0) { - ifatrash--; - free(ifa, M_IFADDR, 0); - } else - ifa->ifa_refcnt--; + if (refcnt_rele(&ifa->ifa_refcnt) == 0) + return; + free(ifa, M_IFADDR, 0); } /* @@ -901,8 +903,7 @@ rtrequest(int req, struct rt_addrinfo *i rt_mpls_clear(rt); #endif - ifa->ifa_refcnt++; - rt->rt_ifa = ifa; + rt->rt_ifa = ifaref(ifa); rt->rt_ifidx = ifp->if_index; /* * Copy metrics and a back pointer from the cloned @@ -1857,8 +1858,8 @@ db_print_ifa(struct ifaddr *ifa) db_print_sa(ifa->ifa_dstaddr); db_printf(" ifa_mask="); db_print_sa(ifa->ifa_netmask); - db_printf(" flags=0x%x, refcnt=%d, metric=%d\n", - ifa->ifa_flags, ifa->ifa_refcnt, ifa->ifa_metric); + db_printf(" flags=0x%x, refcnt=%u, metric=%d\n", + ifa->ifa_flags, ifa->ifa_refcnt.r_refs, ifa->ifa_metric); } /* Index: net/rtsock.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/rtsock.c,v retrieving revision 1.341 diff -u -p -r1.341 rtsock.c --- net/rtsock.c 22 Aug 2022 21:18:48 -0000 1.341 +++ net/rtsock.c 23 Aug 2022 16:27:03 -0000 @@ -1115,8 +1115,7 @@ rtm_output(struct rt_msghdr *rtm, struct ifp->if_rtrequest(ifp, RTM_DELETE, rt); ifafree(rt->rt_ifa); - ifa->ifa_refcnt++; - rt->rt_ifa = ifa; + rt->rt_ifa = ifaref(ifa); rt->rt_ifidx = ifa->ifa_ifp->if_index; /* recheck link state after ifp change */ rt_if_linkstate_change(rt, ifa->ifa_ifp, Index: netinet/in.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/in.c,v retrieving revision 1.175 diff -u -p -r1.175 in.c --- netinet/in.c 6 Aug 2022 15:57:59 -0000 1.175 +++ netinet/in.c 23 Aug 2022 16:59:09 -0000 @@ -379,6 +379,7 @@ in_ioctl_set_ifaddr(u_long cmd, caddr_t } if (ia == NULL) { ia = malloc(sizeof *ia, M_IFADDR, M_WAITOK | M_ZERO); + refcnt_init_trace(&ia->ia_ifa.ifa_refcnt, DT_REFCNT_IDX_IFADDR); ia->ia_addr.sin_family = AF_INET; ia->ia_addr.sin_len = sizeof(ia->ia_addr); ia->ia_ifa.ifa_addr = sintosa(&ia->ia_addr); @@ -475,6 +476,8 @@ in_ioctl_change_ifaddr(u_long cmd, caddr if (ia == NULL) { ia = malloc(sizeof *ia, M_IFADDR, M_WAITOK | M_ZERO); + refcnt_init_trace(&ia->ia_ifa.ifa_refcnt, + DT_REFCNT_IDX_IFADDR); ia->ia_addr.sin_family = AF_INET; ia->ia_addr.sin_len = sizeof(ia->ia_addr); ia->ia_ifa.ifa_addr = sintosa(&ia->ia_addr); @@ -745,7 +748,6 @@ in_purgeaddr(struct ifaddr *ifa) { struct ifnet *ifp = ifa->ifa_ifp; struct in_ifaddr *ia = ifatoia(ifa); - extern int ifatrash; NET_ASSERT_LOCKED(); @@ -760,7 +762,6 @@ in_purgeaddr(struct ifaddr *ifa) ia->ia_allhosts = NULL; } - ifatrash++; ia->ia_ifp = NULL; ifafree(&ia->ia_ifa); } Index: netinet6/in6.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v retrieving revision 1.247 diff -u -p -r1.247 in6.c --- netinet6/in6.c 6 Aug 2022 15:57:59 -0000 1.247 +++ netinet6/in6.c 23 Aug 2022 16:55:17 -0000 @@ -647,6 +647,8 @@ in6_update_ifa(struct ifnet *ifp, struct if (ia6 == NULL) { hostIsNew = 1; ia6 = malloc(sizeof(*ia6), M_IFADDR, M_WAITOK | M_ZERO); + refcnt_init_trace(&ia6->ia_ifa.ifa_refcnt, + DT_REFCNT_IDX_IFADDR); LIST_INIT(&ia6->ia6_memberships); /* Initialize the address and masks, and put time stamp */ ia6->ia_ifa.ifa_addr = sin6tosa(&ia6->ia_addr); @@ -938,7 +940,6 @@ void in6_unlink_ifa(struct in6_ifaddr *ia6, struct ifnet *ifp) { struct ifaddr *ifa = &ia6->ia_ifa; - extern int ifatrash; int plen; NET_ASSERT_LOCKED(); @@ -953,7 +954,6 @@ in6_unlink_ifa(struct in6_ifaddr *ia6, s rt_ifa_purge(ifa); ifa_del(ifp, ifa); - ifatrash++; ia6->ia_ifp = NULL; ifafree(&ia6->ia_ifa); } Index: netinet6/nd6_nbr.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/nd6_nbr.c,v retrieving revision 1.132 diff -u -p -r1.132 nd6_nbr.c --- netinet6/nd6_nbr.c 8 Aug 2022 17:47:59 -0000 1.132 +++ netinet6/nd6_nbr.c 23 Aug 2022 16:27:11 -0000 @@ -1124,8 +1124,7 @@ nd6_dad_start(struct ifaddr *ifa) * first packet to be sent from the interface after interface * (re)initialization. */ - dp->dad_ifa = ifa; - ifa->ifa_refcnt++; /* just for safety */ + dp->dad_ifa = ifaref(ifa); dp->dad_count = ip6_dad_count; dp->dad_ns_icount = dp->dad_na_icount = 0; dp->dad_ns_ocount = dp->dad_ns_tcount = 0; Index: sys/refcnt.h =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/sys/refcnt.h,v retrieving revision 1.7 diff -u -p -r1.7 refcnt.h --- sys/refcnt.h 28 Jun 2022 09:32:28 -0000 1.7 +++ sys/refcnt.h 23 Aug 2022 16:54:02 -0000 @@ -43,8 +43,10 @@ void refcnt_finalize(struct refcnt *, co int refcnt_shared(struct refcnt *); unsigned int refcnt_read(struct refcnt *); -#define DT_REFCNT_IDX_INPCB 1 -#define DT_REFCNT_IDX_TDB 2 +/* sorted alphabetically, keep in sync with dev/dt/dt_prov_static.c */ +#define DT_REFCNT_IDX_IFADDR 1 +#define DT_REFCNT_IDX_INPCB 2 +#define DT_REFCNT_IDX_TDB 3 #endif /* _KERNEL */