Plug reference leak.

Interface routes are refcounted as packets move through the stack, and there's garbage collection tied to it so that route changes can safely propagate while traffic is flowing. In our setup, we weren't changing or deleting any routes, but the refcounting logic in ip6_input() was wrong and caused a reference leak on every inbound V6 packet. This eventually caused a 32bit overflow, and the resulting 0 value caused the garbage collection to run on the active route. That then snowballed into the panic. Reviewed by: scottl MFC after: 3 days
svn path=/head/; revision=236501
2012-06-03 07:36:59 +00:00 · 2012-06-03 07:36:59 +00:00 · 3df0e439b0 · 2020-12-20 02:59:44 +00:00
commit 3df0e439b0
parent e1656a8810
1 changed files with 14 additions and 10 deletions
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@ -879,19 +879,23 @@ ip6_input(struct mbuf *m)
 	 * as our interface address (e.g. multicast addresses, addresses
 	 * within FAITH prefixes and such).
 	 */
-	if (deliverifp && !ip6_getdstifaddr(m)) {
+	if (deliverifp) {
 		struct in6_ifaddr *ia6;

-		ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
-		if (ia6) {
-			if (!ip6_setdstifaddr(m, ia6)) {
-				/*
-				 * XXX maybe we should drop the packet here,
-				 * as we could not provide enough information
-				 * to the upper layers.
-				 */
-			}
+ 		if ((ia6 = ip6_getdstifaddr(m)) != NULL) {
 			ifa_free(&ia6->ia_ifa);
+		} else {
+			ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
+			if (ia6) {
+				if (!ip6_setdstifaddr(m, ia6)) {
+					/*
+					 * XXX maybe we should drop the packet here,
+					 * as we could not provide enough information
+					 * to the upper layers.
+					 */
+				}
+				ifa_free(&ia6->ia_ifa);
+			}
 		}
 	}