`rtt_link’ list also has missing protection when rtfree() called
outside netlock.
> On 25 Dec 2021, at 01:34, Alexander Bluhm <alexander.bl...@gmx.net> wrote:
>
> On Fri, Dec 24, 2021 at 02:04:17PM +0100, Alexander Bluhm wrote:
>> On Fri, Dec 24, 2021 at 12:55:04AM +0100, Alexander Bluhm wrote:
>>> If you use only regular IPsec or forwarding, I hope it is stable.
>>
>> false hope
>>
>> rt_timer_add(fffffd81b97f5390,ffffffff814218b0,ffff8000002040c0,0) at
>> rt_timer_
>> add+0xc7
>> icmp_mtudisc_clone(2438040a,0,1) at icmp_mtudisc_clone+0x174
>> ip_output_ipsec_pmtu_update(ffff8000011e35a0,ffff8000226c0a08,2438040a,0,0)
>> at i
>> p_output_ipsec_pmtu_update+0x71
>> ip_output_ipsec_send(ffff8000011e35a0,fffffd80b8735000,ffff8000226c0a08,1)
>> at i
>> p_output_ipsec_send+0x231
>> ip_output(fffffd80b8735000,0,ffff8000226c0a08,1,0,0,457ea326bbcaae85) at
>> ip_out
>> put+0x7ca
>> ip_forward(fffffd80b8735000,ffff80000011e048,fffffd819089ce70,0) at
>> ip_forward+
>> 0x2da
>> ip_input_if(ffff8000226c0b48,ffff8000226c0b54,4,0,ffff80000011e048) at
>> ip_input
>> _if+0x353
>> ipv4_input(ffff80000011e048,fffffd80b8735000) at ipv4_input+0x39
>> ether_input(ffff80000011e048,fffffd80b8735000) at ether_input+0x3ad
>> if_input_process(ffff80000011e048,ffff8000226c0c38) at if_input_process+0x6f
>> ifiq_process(ffff80000011dc00) at ifiq_process+0x69
>> taskq_thread(ffff80000002e200) at taskq_thread+0x100
>> end trace frame: 0x0, count: -12
>
> /usr/src/sys/net/route.c:1491
> 3773: 49 8b 0f mov (%r15),%rcx
> 3776: 49 8b 47 08 mov 0x8(%r15),%rax
> 377a: 48 85 c9 test %rcx,%rcx
> 377d: 74 06 je 3785 <rt_timer_add+0xb5>
> 377f: 48 83 c1 08 add $0x8,%rcx
> 3783: eb 08 jmp 378d <rt_timer_add+0xbd>
> 3785: 49 8b 4f 20 mov 0x20(%r15),%rcx
> 3789: 48 83 c1 18 add $0x18,%rcx
> 378d: 48 89 01 mov %rax,(%rcx)
> 3790: 49 8b 07 mov (%r15),%rax
> 3793: 49 8b 4f 08 mov 0x8(%r15),%rcx
> * 3797: 48 89 01 mov %rax,(%rcx)
> 379a: 49 c7 47 08 ff ff ff movq $0xffffffffffffffff,0x8(%r15)
> 37a1: ff
> 37a2: 49 c7 07 ff ff ff ff movq $0xffffffffffffffff,(%r15)
> /usr/src/sys/net/route.c:1492
>
> 1484 /*
> 1485 * If there's already a timer with this action, destroy it
> before
> 1486 * we add a new one.
> 1487 */
> 1488 LIST_FOREACH(r, &rt->rt_timer, rtt_link) {
> 1489 if (r->rtt_func == func) {
> 1490 LIST_REMOVE(r, rtt_link);
> * 1491 TAILQ_REMOVE(&r->rtt_queue->rtq_head, r,
> rtt_next);
> 1492 if (r->rtt_queue->rtq_count > 0)
> 1493 r->rtt_queue->rtq_count--;
> 1494 else
> 1495 printf("rt_timer_add: rtq_count
> reached 0\n");
> 1496 pool_put(&rttimer_pool, r);
> 1497 break; /* only one per list, so we can
> quit... */
> 1498 }
> 1499 }
>
> These lists don't look very MP safe.
>
