From owner-freebsd-bugs  Tue May 16 07:01:48 1995
Return-Path: bugs-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id HAA10136
          for bugs-outgoing; Tue, 16 May 1995 07:01:48 -0700
Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159])
          by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id HAA10130
          for <bugs@freebsd.org>; Tue, 16 May 1995 07:01:45 -0700
Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.3.6) id AA19916; Tue, 16 May 1995 10:01:27 -0400
Date: Tue, 16 May 1995 10:01:27 -0400
From: Garrett Wollman <wollman@halloran-eldar.lcs.mit.edu>
Message-Id: <9505161401.AA19916@halloran-eldar.lcs.mit.edu>
To: davidg@Root.COM
Cc: bugs@FreeBSD.org
Subject: Appears to fix rtfree() panics
In-Reply-To: <199505152249.PAA03566@corbin.Root.COM>
References: <199505152249.PAA03566@corbin.Root.COM>
Sender: bugs-owner@FreeBSD.org
Precedence: bulk

<<On Mon, 15 May 1995 15:49:18 -0700, David Greenman <davidg@Root.COM> said:

>    The patch you posted appears to fix the route reference count problems that
> people have reported. Any objections for commit?


> ! 			if ((rt = saved_nrt)->rt_refcnt <= 0)

> ! 			if ((rt = saved_nrt))

Just to follow up on this, here's what was happening:

The problem was that, in most situations, there were still PCBs with
active references to cloned children of the route being deleted.
Because clones keep a reference to their parents, the reference count
was non-zero, and the delete code here was not incrementing the
reference count like it should have in preparation for the rtfree()
which happens further down (after the `report' label).  Thus, the
reference count of this route was one less than it should have been.
The RTM_DELETE code in rtrequest() then deleted all of the cloned
children, so that the next reference to them by one of these active
PCBs would result in a reference drop and deletion of the clones,
which would in turn drop a reference to the parent.  But, because the
reference count was one too small, the second-to-the-last reference
drop caused the route to get freed, and then when the last drop
happened, the route had already been re-allocated and overwritten with
garbage (or at least, something that was not a valid route).  This
caused the panic.

-GAWollman

--
Garrett A. Wollman   | Shashish is simple, it's discreet, it's brief. ... 
wollman@lcs.mit.edu  | Shashish is the bonding of hearts in spite of distance.
Opinions not those of| It is a bond more powerful than absence.  We like people
MIT, LCS, ANA, or NSA| who like Shashish.  - Claude McKenzie + Florent Vollant