Page MenuHomeFreeBSD
Differential D25519

ip_forward(): Fix a possible next-hop refcount leak.
ClosedPublic
Actions

Authored by markj on Jun 30 2020, 3:36 PM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 20 2024, 4:03 AM
Unknown Object (File)
Oct 2 2024, 11:56 PM
Unknown Object (File)
Sep 9 2024, 12:50 PM
Unknown Object (File)
Sep 5 2024, 10:33 PM
Unknown Object (File)
Aug 30 2024, 7:05 AM
Unknown Object (File)
Aug 14 2024, 2:04 PM
Unknown Object (File)
Aug 10 2024, 7:49 AM
Unknown Object (File)
Aug 8 2024, 11:58 AM
View All 52 Files
Subscribers
imp
melifaro

Details

Reviewers
melifaro
ae
Commits
rS362840: Fix a possible next-hop refcount leak when handling IPSec traffic.
Summary

This is based on some code review for PR 246951. I suspect that we
could move the lookup to after the IPSec check, but I would like a
minimal patch that I can backport to stable branches (there is a ia ref
leak there too).

I looked through other uses of NHR_REF but didn't find any other obvious
leaks.

I am also a bit uncertain about nhop_ref_object(). It uses
refcount_acquire_if_not_zero(), but most callers don't check the return
value, presumably because it's assumed that it can never fail in those
cases. Should we assert that?

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Jun 30 2020, 3:36 PM
Herald added a subscriber: melifaro. · View Herald TranscriptJun 30 2020, 3:36 PM
markj requested review of this revision.Jun 30 2020, 3:36 PM
Harbormaster completed remote builds in B32062: Diff 73907.Jun 30 2020, 3:36 PM
markj added reviewers: melifaro, ae.Jun 30 2020, 3:37 PM
melifaro accepted this revision.Jun 30 2020, 9:44 PM

Re nhop_ref_object(): indeed, in many cases we acquire refcount under radix read or write lock, which implies that some routes are pointing to that nhop -> it has non-zero count.
In some corner cases we want to do it without holding radix lock and in that scenario we need to check whether we were able to acquire reference or not.

IT actually should be in the manpage(s), which I haven't written yet :-(

This revision is now accepted and ready to land.Jun 30 2020, 9:44 PM
markj added a comment.Jun 30 2020, 9:52 PM
In D25519#564063, @melifaro wrote:

Re nhop_ref_object(): indeed, in many cases we acquire refcount under radix read or write lock, which implies that some routes are pointing to that nhop -> it has non-zero count.
In some corner cases we want to do it without holding radix lock and in that scenario we need to check whether we were able to acquire reference or not.

It might be preferable to add a separate function for those cases where we know it can't fail, since in that case we can use the cheaper refcount_acquire() (which does fetchadd instead of cmpset).

markj added a comment.Jul 1 2020, 3:31 PM
In D25519#564070, @markj wrote:

It might be preferable to add a separate function for those cases where we know it can't fail, since in that case we can use the cheaper refcount_acquire() (which does fetchadd instead of cmpset).

https://reviews.freebsd.org/D25535

Closed by commit rS362840: Fix a possible next-hop refcount leak when handling IPSec traffic. (authored by markj). · Explain WhyJul 1 2020, 3:43 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rS362840: Fix a possible next-hop refcount leak when handling IPSec traffic..
Herald added a subscriber: imp. · View Herald TranscriptJul 1 2020, 3:43 PM

Revision Contents
Changeset List

PathSize
head/
sys/
netinet/
1 line

Diff 73972

View Options

head/sys/netinet/ip_input.c

Loading...