Date: Sun, 22 Jul 2001 14:32:45 -0700 (PDT) From: Richard Andrades <richard@xebeo.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/29150: Incomplete cleanup in the netgraph bridge shutdown function Message-ID: <200107222132.f6MLWjt16345@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 29150
>Category: kern
>Synopsis: Incomplete cleanup in the netgraph bridge shutdown function
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jul 22 14:40:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Richard Andrades
>Release: RELENG_4_1_1_RELEASE (Revision 1.1.2.2)
>Organization:
Xebeo Communications, Inc.
>Environment:
FreeBSD X2.xebeo.com 4.1.1 FreeBSD 4.1.1 #11: Tue Jul 17 14:47:29 EDT 2001 richard@X2.xebeo.com:/net/scratch/richard/kern/kernel/sys/compile/GENERIC i386
>Description:
When a netgraph bridge node is destroyed, the shutdown
functions fails to deregister the callout function, somtimes
leading to a kernel crash (it doesn't happen every time so it
is hard to reproduce).
It also fails to decrement the node's refcount (which was bumped
by by the constructor). Usually (not always) this causes a
memory leak. This one is very easy to find.
>How-To-Repeat:
The first BUG can be reproduced by repeatedly adding and
removing netgraph bridges. Sooner or later the kernel will
crash
The second bug can be reproduced by adding and removing a
netgraph bridge.
>Fix:
FILE: src/sys/netgraph/ng_bridge.c
/* NOTE: This function has been renamed ng_bridge_shutdown in the */
/* current version of FreeBSD */
/*
* Shutdown node
*/
static int
ng_bridge_rmnode(node_p node)
{
const priv_p priv = node->private;
ng_unname(node);
ng_cutlinks(node); /* frees all link and host info */
KASSERT(priv->numLinks == 0 && priv->numHosts == 0,
("%s: numLinks=%d numHosts=%d",
__FUNCTION__, priv->numLinks, priv->numHosts));
/* Fix to BUG #1 */
callout_stop(&priv->timer);
/* If the callout is not cancelled when the node is */
/* removed, a timeout sometimes crashes the kernel. */
/* End of fix to BUG #1 */
FREE(priv->tab, M_NETGRAPH);
FREE(priv, M_NETGRAPH);
node->private = NULL;
/* Fix to BUG #2 */
/* The refcount was incremented by 1 in the constructor. It may
* have been decremented by 1 by the timeout. If not, do it now.
* This must come after callout_reset.
*/
if(node->refs > 1)
ng_unref(node); /* Extra one, to compensate for constructor action */
/* If the refcount is more than one at this point, the node */
/* is not removed and it causes a memory leak (64 bytes). */
/* End of Fix to BUG #2 */
ng_unref(node);
return (0);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107222132.f6MLWjt16345>