Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Fix _rt_free via rtrequest(RTM_DELETE) hangs in rt_timer...
details: https://anonhg.NetBSD.org/src/rev/cb40fa46b98d
branches: trunk
changeset: 319495:cb40fa46b98d
user: ozaki-r <ozaki-r%NetBSD.org@localhost>
date: Fri Jun 01 07:13:35 2018 +0000
description:
Fix _rt_free via rtrequest(RTM_DELETE) hangs in rt_timer handlers
A rt_timer handler is passed a rtentry with an extra reference that avoids the
rtentry is accidentally released. So rt_timer handers must release the reference
of a passed rtentry by themselves (but they didn't).
diffstat:
sys/net/route.c | 11 ++++++++---
sys/netinet/ip_icmp.c | 14 ++++++++++----
sys/netinet6/icmp6.c | 15 +++++++++++----
3 files changed, 29 insertions(+), 11 deletions(-)
diffs (145 lines):
diff -r 4d40ee3eb745 -r cb40fa46b98d sys/net/route.c
--- a/sys/net/route.c Fri Jun 01 05:48:29 2018 +0000
+++ b/sys/net/route.c Fri Jun 01 07:13:35 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: route.c,v 1.209 2018/04/12 04:38:13 ozaki-r Exp $ */
+/* $NetBSD: route.c,v 1.210 2018/06/01 07:13:35 ozaki-r Exp $ */
/*-
* Copyright (c) 1998, 2008 The NetBSD Foundation, Inc.
@@ -97,7 +97,7 @@
#endif
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.209 2018/04/12 04:38:13 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.210 2018/06/01 07:13:35 ozaki-r Exp $");
#include <sys/param.h>
#ifdef RTFLUSH_DEBUG
@@ -1959,7 +1959,12 @@
(r->rtt_time + rtq->rtq_timeout) < time_uptime) {
LIST_REMOVE(r, rtt_link);
TAILQ_REMOVE(&rtq->rtq_head, r, rtt_next);
- rt_ref(r->rtt_rt); /* XXX */
+ /*
+ * Take a reference to avoid the rtentry is freed
+ * accidentally after RT_UNLOCK. The callback
+ * (rtt_func) must rt_unref it by itself.
+ */
+ rt_ref(r->rtt_rt);
RT_REFCNT_TRACE(r->rtt_rt);
RT_UNLOCK();
(*r->rtt_func)(r->rtt_rt, r);
diff -r 4d40ee3eb745 -r cb40fa46b98d sys/netinet/ip_icmp.c
--- a/sys/netinet/ip_icmp.c Fri Jun 01 05:48:29 2018 +0000
+++ b/sys/netinet/ip_icmp.c Fri Jun 01 07:13:35 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_icmp.c,v 1.170 2018/05/11 14:38:28 maxv Exp $ */
+/* $NetBSD: ip_icmp.c,v 1.171 2018/06/01 07:13:35 ozaki-r Exp $ */
/*
* Copyright (c) 1998, 2000 The NetBSD Foundation, Inc.
@@ -94,7 +94,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.170 2018/05/11 14:38:28 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.171 2018/06/01 07:13:35 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_ipsec.h"
@@ -1265,6 +1265,7 @@
static void
icmp_mtudisc_timeout(struct rtentry *rt, struct rttimer *r)
{
+ struct rtentry *retrt;
KASSERT(rt != NULL);
rt_assert_referenced(rt);
@@ -1272,7 +1273,9 @@
if ((rt->rt_flags & (RTF_DYNAMIC | RTF_HOST)) ==
(RTF_DYNAMIC | RTF_HOST)) {
rtrequest(RTM_DELETE, rt_getkey(rt),
- rt->rt_gateway, rt_mask(rt), rt->rt_flags, NULL);
+ rt->rt_gateway, rt_mask(rt), rt->rt_flags, &retrt);
+ rt_unref(rt);
+ rt_free(retrt);
} else {
if ((rt->rt_rmx.rmx_locks & RTV_MTU) == 0) {
rt->rt_rmx.rmx_mtu = 0;
@@ -1283,6 +1286,7 @@
static void
icmp_redirect_timeout(struct rtentry *rt, struct rttimer *r)
{
+ struct rtentry *retrt;
KASSERT(rt != NULL);
rt_assert_referenced(rt);
@@ -1290,7 +1294,9 @@
if ((rt->rt_flags & (RTF_DYNAMIC | RTF_HOST)) ==
(RTF_DYNAMIC | RTF_HOST)) {
rtrequest(RTM_DELETE, rt_getkey(rt),
- rt->rt_gateway, rt_mask(rt), rt->rt_flags, NULL);
+ rt->rt_gateway, rt_mask(rt), rt->rt_flags, &retrt);
+ rt_unref(rt);
+ rt_free(retrt);
}
}
diff -r 4d40ee3eb745 -r cb40fa46b98d sys/netinet6/icmp6.c
--- a/sys/netinet6/icmp6.c Fri Jun 01 05:48:29 2018 +0000
+++ b/sys/netinet6/icmp6.c Fri Jun 01 07:13:35 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: icmp6.c,v 1.237 2018/05/07 10:21:08 maxv Exp $ */
+/* $NetBSD: icmp6.c,v 1.238 2018/06/01 07:13:35 ozaki-r Exp $ */
/* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.237 2018/05/07 10:21:08 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.238 2018/06/01 07:13:35 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -2834,6 +2834,7 @@
static void
icmp6_mtudisc_timeout(struct rtentry *rt, struct rttimer *r)
{
+ struct rtentry *retrt;
KASSERT(rt != NULL);
rt_assert_referenced(rt);
@@ -2841,7 +2842,9 @@
if ((rt->rt_flags & (RTF_DYNAMIC | RTF_HOST)) ==
(RTF_DYNAMIC | RTF_HOST)) {
rtrequest(RTM_DELETE, rt_getkey(rt),
- rt->rt_gateway, rt_mask(rt), rt->rt_flags, NULL);
+ rt->rt_gateway, rt_mask(rt), rt->rt_flags, &retrt);
+ rt_unref(rt);
+ rt_free(retrt);
} else {
if (!(rt->rt_rmx.rmx_locks & RTV_MTU))
rt->rt_rmx.rmx_mtu = 0;
@@ -2851,14 +2854,18 @@
static void
icmp6_redirect_timeout(struct rtentry *rt, struct rttimer *r)
{
+ struct rtentry *retrt;
KASSERT(rt != NULL);
rt_assert_referenced(rt);
if ((rt->rt_flags & (RTF_GATEWAY | RTF_DYNAMIC | RTF_HOST)) ==
(RTF_GATEWAY | RTF_DYNAMIC | RTF_HOST)) {
+ printf("%s: RTM_DELETE\n", __func__);
rtrequest(RTM_DELETE, rt_getkey(rt),
- rt->rt_gateway, rt_mask(rt), rt->rt_flags, NULL);
+ rt->rt_gateway, rt_mask(rt), rt->rt_flags, &retrt);
+ rt_unref(rt);
+ rt_free(retrt);
}
}
Home |
Main Index |
Thread Index |
Old Index