Details

Reviewers

melifaro
ae
hiren
jhb
rrs
glebius
bz
adrian
gallatin
loos

Commits

rS336405: Move invoking of callout_stop(&lle->lle_timer) into llentry_free().

Summary

By running the following commands link level entries will leak.
This in particular causes a panic when ejecting USB type of ethernet devices.

DEF_ROUTE=x.x.x.x # replace with IP of your default route
vmstat -m | grep llt
arp -d $DEF_ROUTE
ping $DEF_ROUTE
vmstat -m | grep llt
arp -d $DEF_ROUTE
ping $DEF_ROUTE

Fix problem by adding missing callout_stop() calls.
Technically a callout_drain() call is required, though this patch is better than nothing.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

• hselasky updated this revision to Diff 11394.Dec 17 2015, 7:37 PM

• hselasky retitled this revision from to Fix races managing link level tables related to use of callouts.

• hselasky updated this object.

• hselasky edited the test plan for this revision. (Show Details)

• hselasky added reviewers: rrs, glebius, hiren, sbruno, adrian, jhb, bz.

• hselasky set the repository for this revision to rS FreeBSD src repository - subversion.

Herald added a subscriber: imp. · View Herald TranscriptDec 17 2015, 7:37 PM

• hselasky added a reviewer: melifaro.Dec 17 2015, 7:39 PM

sbruno added a reviewer: ae.Dec 18 2015, 9:32 PM

sbruno removed a reviewer: sbruno.

sbruno added a subscriber: sbruno.

kbowling added a subscriber: kbowling.Dec 18 2015, 11:22 PM

Need to check for LLE_LINKED at entry of callout function. Seems some code path is not stopping the callouts!

I'm currently investigating the call to arptimer when LLE_LINKED is not set, who is not clearing the timer.

Here goes:

lltable_delete_addr() will unlink the entry and try to delete it, but doesn't stop the callout.

For example reproduce using the default route x.x.x.x:

vmstat -m | grep llt
arp -d x.x.x.x
ping x.x.x.x
vmstat -m | grep llt
arp -d x.x.x.x
ping x.x.x.x

I observe that the number of llt allocations doesn't drop after the deletion, which means the timer for the unlinked entry still has one reference which appears to be causing this arptimer panic.

Need to stop timer when deleting arp table entries.

• hselasky added a subscriber: markb_mellanox.com.Dec 19 2015, 11:57 AM

Ping - any reviewers active on this one?

In D4605#102190, @hselasky wrote:

Ping - any reviewers active on this one?

sorry, will take a look today.

j-nitrology.com added a subscriber: j-nitrology.com.May 22 2016, 12:51 AM

Update patch to match 12-current.

jch added a subscriber: jch.Aug 25 2016, 6:51 AM

franco_opnsense.org added a subscriber: franco_opnsense.org.Feb 4 2017, 8:32 AM

Ping - this is still an issue in 12-current when yanking USB network devices.

Update patch for 12-current

We run a similar fix in pfSense for quite some time now.

This revision is now accepted and ready to land.Jan 23 2018, 8:26 PM

Closed by commit rS336405: Move invoking of callout_stop(&lle->lle_timer) into llentry_free(). (authored by ae). · Explain WhyJul 17 2018, 11:33 AM

This revision was automatically updated to reflect the committed changes.

Properly stop timer before freeing link level entries for IPv4 and IPv6
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 45408

head/sys/net/if_llatbl.c

head/sys/netinet/in.c

head/sys/netinet6/in6.c

Properly stop timer before freeing link level entries for IPv4 and IPv6ClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 45408

head/sys/net/if_llatbl.c

head/sys/netinet/in.c

head/sys/netinet6/in6.c

Properly stop timer before freeing link level entries for IPv4 and IPv6
ClosedPublic
Actions

Revision Contents
Changeset List