From d7a91dc6bf166a266421facb5e7cc8067695b03b Mon Sep 17 00:00:00 2001 From: bz Date: Sun, 11 Apr 2010 16:04:08 +0000 Subject: Plug reference leaks in the link-layer code ("new-arp") that previously prevented the link-layer entry from being freed. In both in.c and in6.c (though that code path seems to be basically dead) plug a reference leak in case of a pending callout being drained. In if_ether.c consistently add a reference before resetting the callout and in case we canceled a pending one remove the reference for that. In the final case in arptimer, before freeing the expired entry, remove the reference again and explicitly call callout_stop() to clear the active flag. In nd6.c:nd6_free() we are only ever called from the callout function and thus need to remove the reference there as well before calling into llentry_free(). In if_llatbl.c when freeing entire tables make sure that in case we cancel a pending callout to remove the reference as well. Reviewed by: qingli (earlier version) MFC after: 10 days Problem observed, patch tested by: simon on ipv6gw.f.o, Christian Kratzer (ck cksoft.de), Evgenii Davidov (dado korolev-net.ru) PR: kern/144564 Configurations still affected: with options FLOWTABLE --- sys/netinet6/nd6.c | 1 + 1 file changed, 1 insertion(+) (limited to 'sys/netinet6/nd6.c') diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index 5c250f4..a0ef204 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -1125,6 +1125,7 @@ nd6_free(struct llentry *ln, int gc) ifp = ln->lle_tbl->llt_ifp; IF_AFDATA_LOCK(ifp); LLE_WLOCK(ln); + LLE_REMREF(ln); llentry_free(ln); IF_AFDATA_UNLOCK(ifp); -- cgit v1.1