From nobody@FreeBSD.org  Fri Apr  8 19:08:22 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A35BA1065672
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  8 Apr 2011 19:08:22 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 926138FC1D
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  8 Apr 2011 19:08:22 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p38J8MBS034227
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 8 Apr 2011 19:08:22 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p38J8MBT034226;
	Fri, 8 Apr 2011 19:08:22 GMT
	(envelope-from nobody)
Message-Id: <201104081908.p38J8MBT034226@red.freebsd.org>
Date: Fri, 8 Apr 2011 19:08:22 GMT
From: Ingo Flaschberger <if@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: nd6_ns_input - rtalloc_mpath does not return a locked rtentry
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         156283
>Category:       kern
>Synopsis:       [ip6] [patch] nd6_ns_input - rtalloc_mpath does not return a locked rtentry
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ae
>State:          patched
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 08 19:10:09 UTC 2011
>Closed-Date:    
>Last-Modified:  Mon Nov 11 12:53:10 UTC 2013
>Originator:     Ingo Flaschberger
>Release:        FreeBSD 8.2-RELEASE
>Organization:
crossip communications gmbh
>Environment:
>Description:
Problem occurs when RADIX_MPATH is defined.

In nd6_ns_input rtalloc_mpath does not return a locked root.
Panic occurs when RTFREE_LOCKED(rt); is called at this route.

>How-To-Repeat:

>Fix:


Patch attached with submission follows:

--- nd6_nbr.c_org	2011-03-21 09:40:01.000000000 +0000
+++ nd6_nbr.c	2011-04-08 18:57:18.000000000 +0000
@@ -257,7 +257,11 @@
 			 */
 			if (need_proxy)
 				proxydl = *SDL(rt->rt_gateway);
+#ifdef RADIX_MPATH
+			RTFREE(rt);	/* rtalloc_mpath does not return a locked route */
+#else
 			RTFREE_LOCKED(rt);
+#endif
 		}
 		if (need_proxy) {
 			/*


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Apr 9 20:22:43 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156283 

From: Ingo Flaschberger <if@xip.at>
To: bug-followup@FreeBSD.org, if@FreeBSD.org
Cc:  
Subject: Re: kern/156283: [ip6] [patch] nd6_ns_input - rtalloc_mpath does
 not return a locked rtentry
Date: Thu, 08 Nov 2012 17:55:11 +0100

 Why is this bug not fixed in tree?
 
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/156283: commit references a PR
Date: Mon, 11 Nov 2013 12:49:07 +0000 (UTC)

 Author: ae
 Date: Mon Nov 11 12:49:00 2013
 New Revision: 257985
 URL: http://svnweb.freebsd.org/changeset/base/257985
 
 Log:
   Fix panic with RADIX_MPATH, when RTFREE_LOCKED() called for already
   unlocked route. Use in6_rtalloc() instead of in6_rtalloc1. This helps
   simplify the code and remove several now unused variables.
   
   PR:		156283
   MFC after:	2 weeks
 
 Modified:
   head/sys/netinet6/nd6_nbr.c
 
 Modified: head/sys/netinet6/nd6_nbr.c
 ==============================================================================
 --- head/sys/netinet6/nd6_nbr.c	Mon Nov 11 12:44:54 2013	(r257984)
 +++ head/sys/netinet6/nd6_nbr.c	Mon Nov 11 12:49:00 2013	(r257985)
 @@ -232,41 +232,28 @@ nd6_ns_input(struct mbuf *m, int off, in
  
  	/* (2) check. */
  	if (ifa == NULL) {
 -		struct rtentry *rt;
 -		struct sockaddr_in6 tsin6;
 -		int need_proxy;
 -#ifdef RADIX_MPATH
  		struct route_in6 ro;
 -#endif
 +		int need_proxy;
  
 -		bzero(&tsin6, sizeof tsin6);
 -		tsin6.sin6_len = sizeof(struct sockaddr_in6);
 -		tsin6.sin6_family = AF_INET6;
 -		tsin6.sin6_addr = taddr6;
 +		bzero(&ro, sizeof(ro));
 +		ro.ro_dst.sin6_len = sizeof(struct sockaddr_in6);
 +		ro.ro_dst.sin6_family = AF_INET6;
 +		ro.ro_dst.sin6_addr = taddr6;
  
  		/* Always use the default FIB. */
  #ifdef RADIX_MPATH
 -		bzero(&ro, sizeof(ro));
 -		ro.ro_dst = tsin6;
  		rtalloc_mpath_fib((struct route *)&ro, RTF_ANNOUNCE,
  		    RT_DEFAULT_FIB);
 -		rt = ro.ro_rt;
  #else
 -		rt = in6_rtalloc1((struct sockaddr *)&tsin6, 0, 0,
 -		    RT_DEFAULT_FIB);
 +		in6_rtalloc(&ro, RT_DEFAULT_FIB);
  #endif
 -		need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
 -		    rt->rt_gateway->sa_family == AF_LINK);
 -		if (rt != NULL) {
 -			/*
 -			 * Make a copy while we can be sure that rt_gateway
 -			 * is still stable before unlocking to avoid lock
 -			 * order problems.  proxydl will only be used if
 -			 * proxy will be set in the next block.
 -			 */
 +		need_proxy = (ro.ro_rt &&
 +		    (ro.ro_rt->rt_flags & RTF_ANNOUNCE) != 0 &&
 +		    ro.ro_rt->rt_gateway->sa_family == AF_LINK);
 +		if (ro.ro_rt != NULL) {
  			if (need_proxy)
 -				proxydl = *SDL(rt->rt_gateway);
 -			RTFREE_LOCKED(rt);
 +				proxydl = *SDL(ro.ro_rt->rt_gateway);
 +			RTFREE(ro.ro_rt);
  		}
  		if (need_proxy) {
  			/*
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: ae 
State-Changed-When: Mon Nov 11 12:52:39 UTC 2013 
State-Changed-Why:  
Patched in head/. 


Responsible-Changed-From-To: freebsd-net->ae 
Responsible-Changed-By: ae 
Responsible-Changed-When: Mon Nov 11 12:52:39 UTC 2013 
Responsible-Changed-Why:  
Take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156283 
>Unformatted:
