Module Name: src
Committed By: ozaki-r
Date: Fri Jun 1 07:13:35 UTC 2018
Modified Files:
src/sys/net: route.c
src/sys/netinet: ip_icmp.c
src/sys/netinet6: icmp6.c
Log Message:
Fix _rt_free via rtrequest(RTM_DELETE) hangs in rt_timer handlers
A rt_timer handler is passed a rtentry with an extra reference that avoids the
rtentry is accidentally released. So rt_timer handers must release the
reference
of a passed rtentry by themselves (but they didn't).
To generate a diff of this commit:
cvs rdiff -u -r1.209 -r1.210 src/sys/net/route.c
cvs rdiff -u -r1.170 -r1.171 src/sys/netinet/ip_icmp.c
cvs rdiff -u -r1.237 -r1.238 src/sys/netinet6/icmp6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/route.c
diff -u src/sys/net/route.c:1.209 src/sys/net/route.c:1.210
--- src/sys/net/route.c:1.209 Thu Apr 12 04:38:13 2018
+++ src/sys/net/route.c Fri Jun 1 07:13:35 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: route.c,v 1.209 2018/04/12 04:38:13 ozaki-r Exp $ */
+/* $NetBSD: route.c,v 1.210 2018/06/01 07:13:35 ozaki-r Exp $ */
/*-
* Copyright (c) 1998, 2008 The NetBSD Foundation, Inc.
@@ -97,7 +97,7 @@
#endif
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.209 2018/04/12 04:38:13 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.210 2018/06/01 07:13:35 ozaki-r Exp $");
#include <sys/param.h>
#ifdef RTFLUSH_DEBUG
@@ -1959,7 +1959,12 @@ rt_timer_work(struct work *wk, void *arg
(r->rtt_time + rtq->rtq_timeout) < time_uptime) {
LIST_REMOVE(r, rtt_link);
TAILQ_REMOVE(&rtq->rtq_head, r, rtt_next);
- rt_ref(r->rtt_rt); /* XXX */
+ /*
+ * Take a reference to avoid the rtentry is freed
+ * accidentally after RT_UNLOCK. The callback
+ * (rtt_func) must rt_unref it by itself.
+ */
+ rt_ref(r->rtt_rt);
RT_REFCNT_TRACE(r->rtt_rt);
RT_UNLOCK();
(*r->rtt_func)(r->rtt_rt, r);
Index: src/sys/netinet/ip_icmp.c
diff -u src/sys/netinet/ip_icmp.c:1.170 src/sys/netinet/ip_icmp.c:1.171
--- src/sys/netinet/ip_icmp.c:1.170 Fri May 11 14:38:28 2018
+++ src/sys/netinet/ip_icmp.c Fri Jun 1 07:13:35 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_icmp.c,v 1.170 2018/05/11 14:38:28 maxv Exp $ */
+/* $NetBSD: ip_icmp.c,v 1.171 2018/06/01 07:13:35 ozaki-r Exp $ */
/*
* Copyright (c) 1998, 2000 The NetBSD Foundation, Inc.
@@ -94,7 +94,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.170 2018/05/11 14:38:28 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.171 2018/06/01 07:13:35 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_ipsec.h"
@@ -1265,6 +1265,7 @@ ip_next_mtu(u_int mtu, int dir) /* XXX u
static void
icmp_mtudisc_timeout(struct rtentry *rt, struct rttimer *r)
{
+ struct rtentry *retrt;
KASSERT(rt != NULL);
rt_assert_referenced(rt);
@@ -1272,7 +1273,9 @@ icmp_mtudisc_timeout(struct rtentry *rt,
if ((rt->rt_flags & (RTF_DYNAMIC | RTF_HOST)) ==
(RTF_DYNAMIC | RTF_HOST)) {
rtrequest(RTM_DELETE, rt_getkey(rt),
- rt->rt_gateway, rt_mask(rt), rt->rt_flags, NULL);
+ rt->rt_gateway, rt_mask(rt), rt->rt_flags, &retrt);
+ rt_unref(rt);
+ rt_free(retrt);
} else {
if ((rt->rt_rmx.rmx_locks & RTV_MTU) == 0) {
rt->rt_rmx.rmx_mtu = 0;
@@ -1283,6 +1286,7 @@ icmp_mtudisc_timeout(struct rtentry *rt,
static void
icmp_redirect_timeout(struct rtentry *rt, struct rttimer *r)
{
+ struct rtentry *retrt;
KASSERT(rt != NULL);
rt_assert_referenced(rt);
@@ -1290,7 +1294,9 @@ icmp_redirect_timeout(struct rtentry *rt
if ((rt->rt_flags & (RTF_DYNAMIC | RTF_HOST)) ==
(RTF_DYNAMIC | RTF_HOST)) {
rtrequest(RTM_DELETE, rt_getkey(rt),
- rt->rt_gateway, rt_mask(rt), rt->rt_flags, NULL);
+ rt->rt_gateway, rt_mask(rt), rt->rt_flags, &retrt);
+ rt_unref(rt);
+ rt_free(retrt);
}
}
Index: src/sys/netinet6/icmp6.c
diff -u src/sys/netinet6/icmp6.c:1.237 src/sys/netinet6/icmp6.c:1.238
--- src/sys/netinet6/icmp6.c:1.237 Mon May 7 10:21:08 2018
+++ src/sys/netinet6/icmp6.c Fri Jun 1 07:13:35 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: icmp6.c,v 1.237 2018/05/07 10:21:08 maxv Exp $ */
+/* $NetBSD: icmp6.c,v 1.238 2018/06/01 07:13:35 ozaki-r Exp $ */
/* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.237 2018/05/07 10:21:08 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.238 2018/06/01 07:13:35 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -2834,6 +2834,7 @@ icmp6_mtudisc_clone(struct sockaddr *dst
static void
icmp6_mtudisc_timeout(struct rtentry *rt, struct rttimer *r)
{
+ struct rtentry *retrt;
KASSERT(rt != NULL);
rt_assert_referenced(rt);
@@ -2841,7 +2842,9 @@ icmp6_mtudisc_timeout(struct rtentry *rt
if ((rt->rt_flags & (RTF_DYNAMIC | RTF_HOST)) ==
(RTF_DYNAMIC | RTF_HOST)) {
rtrequest(RTM_DELETE, rt_getkey(rt),
- rt->rt_gateway, rt_mask(rt), rt->rt_flags, NULL);
+ rt->rt_gateway, rt_mask(rt), rt->rt_flags, &retrt);
+ rt_unref(rt);
+ rt_free(retrt);
} else {
if (!(rt->rt_rmx.rmx_locks & RTV_MTU))
rt->rt_rmx.rmx_mtu = 0;
@@ -2851,14 +2854,18 @@ icmp6_mtudisc_timeout(struct rtentry *rt
static void
icmp6_redirect_timeout(struct rtentry *rt, struct rttimer *r)
{
+ struct rtentry *retrt;
KASSERT(rt != NULL);
rt_assert_referenced(rt);
if ((rt->rt_flags & (RTF_GATEWAY | RTF_DYNAMIC | RTF_HOST)) ==
(RTF_GATEWAY | RTF_DYNAMIC | RTF_HOST)) {
+ printf("%s: RTM_DELETE\n", __func__);
rtrequest(RTM_DELETE, rt_getkey(rt),
- rt->rt_gateway, rt_mask(rt), rt->rt_flags, NULL);
+ rt->rt_gateway, rt_mask(rt), rt->rt_flags, &retrt);
+ rt_unref(rt);
+ rt_free(retrt);
}
}
