From nobody@FreeBSD.org  Thu Sep 30 23:18:25 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BCC1016A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Sep 2004 23:18:25 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 97A7643D39
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Sep 2004 23:18:25 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i8UNIPD5056272
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Sep 2004 23:18:25 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i8UNIPXl056271;
	Thu, 30 Sep 2004 23:18:25 GMT
	(envelope-from nobody)
Message-Id: <200409302318.i8UNIPXl056271@www.freebsd.org>
Date: Thu, 30 Sep 2004 23:18:25 GMT
From: Richard Andrades <richard.andrades@utstar.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Bug in calculation of the parameter for the in6_rtqtimo and in6_mtutimo timeout functions
X-Send-Pr-Version: www-2.3

>Number:         72217
>Category:       kern
>Synopsis:       [netinet6] [patch] Bug in calculation of the parameter for the in6_rtqtimo and in6_mtutimo timeout functions
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 30 23:20:24 GMT 2004
>Closed-Date:    Sun Jun 01 19:05:36 UTC 2008
>Last-Modified:  Sun Jun 01 19:05:36 UTC 2008
>Originator:     Richard Andrades
>Release:        FreeBSD 4.9 RELEASE
>Organization:
UTStarcom
>Environment:
FreeBSD mobo14 4.9-RELEASE FreeBSD 4.9-RELEASE #0   root@rainier.nj.us.utstar.com:/usr/home/build/richard/main/os/freebsd/kernel/DISKLESS  i386
>Description:
The current time is not subtracted from the calculated (future) absolute
time for the timeout function before calling timeout() - which expects a
relative time. This results in the function getting called after a (much)
larger than expected timeout time interval.

>How-To-Repeat:
These timeouts are not used very often so it is not easy to notice this
problem. It does not show up normally. Only found them by accident while
debugging the timer code for an unrelated problem.

>Fix:
FILE: src/sys/netinet6/in6_rmx.c

The bug is present in two separate functions in this file.

static void
in6_rtqtimo(void *rock)
{
..
..
..
        atv.tv_usec = 0;
	atv.tv_sec = arg.nextstop; /* BUG: Must subtract current time */
	timeout(in6_rtqtimo, rock, tvtohz(&atv));
}

AND:

static void
in6_mtutimo(void *rock)
{
..
..
..
        atv.tv_usec = 0;
	atv.tv_sec = arg.nextstop;
	if (atv.tv_sec < time_second) {
		printf("invalid mtu expiration time on routing table\n");
		arg.nextstop = time_second + 30;	/* last resort */
	}
        /* BUG: Must subtract surrent time */
	timeout(in6_mtutimo, rock, tvtohz(&atv));
}



Change to:

static void
in6_rtqtimo(void *rock)
{
..
..
..
        atv.tv_usec = 0;
	atv.tv_sec = arg.nextstop - time_second; /* Fix: Subtract current time */
	timeout(in6_rtqtimo, rock, tvtohz(&atv));
}

AND:

static void
in6_mtutimo(void *rock)
{
..
..
..
        atv.tv_usec = 0;
	atv.tv_sec = arg.nextstop;
	if (atv.tv_sec < time_second) {
		printf("invalid mtu expiration time on routing table\n");
		arg.nextstop = time_second + 30;	/* last resort */
	}
	atv.tv_sec = arg.nextstop - time_second; /* Fix: Subtract current time */
	timeout(in6_mtutimo, rock, tvtohz(&atv));
}


Note:

These problems are still present in newer versions of FreeBSD
although the code is now using callout_reset() instead of timeout().

>Release-Note:
>Audit-Trail:

From: Volker <volker@vwsoft.com>
To: bug-followup@FreeBSD.org, richard.andrades@utstar.com
Cc:  
Subject: Re: kern/72217: [netinet6] [patch] Bug in calculation of the parameter
 for the in6_rtqtimo and in6_mtutimo timeout functions
Date: Wed, 20 Feb 2008 12:55:33 +0100

 Fixed in in6_rmx.c rev 1.13, committed 2004-10-06
 and is now in HEAD, RELENG_6, RELENG_7 but never made it to RELENG_4 and
 RELENG_5
State-Changed-From-To: open->patched 
State-Changed-By: linimon 
State-Changed-When: Sat Feb 23 03:21:55 UTC 2008 
State-Changed-Why:  
Awaiting MFC to 5, if anyone is still interested.  If this is still 
open by the EOL of 5, we'll just close it instead. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72217 

From: Volker <volker@vwsoft.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/72217: [netinet6] [patch] Bug in calculation of the parameter
 for the in6_rtqtimo and in6_mtutimo timeout functions
Date: Sat, 23 Feb 2008 13:46:07 +0100

 Please note, mail to submitter bounces:
 
 Diagnostic-Code: smtp; 553 5.3.0 <richard.andrades@utstar.com>...
 Unknown user address
State-Changed-From-To: patched->closed 
State-Changed-By: gavin 
State-Changed-When: Sun Jun 1 19:05:12 UTC 2008 
State-Changed-Why:  
Close, fixed in all supported releases. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72217 
>Unformatted:
