`rtt_link’ list also has missing protection when rtfree() called outside netlock.
> On 25 Dec 2021, at 01:34, Alexander Bluhm <alexander.bl...@gmx.net> wrote: > > On Fri, Dec 24, 2021 at 02:04:17PM +0100, Alexander Bluhm wrote: >> On Fri, Dec 24, 2021 at 12:55:04AM +0100, Alexander Bluhm wrote: >>> If you use only regular IPsec or forwarding, I hope it is stable. >> >> false hope >> >> rt_timer_add(fffffd81b97f5390,ffffffff814218b0,ffff8000002040c0,0) at >> rt_timer_ >> add+0xc7 >> icmp_mtudisc_clone(2438040a,0,1) at icmp_mtudisc_clone+0x174 >> ip_output_ipsec_pmtu_update(ffff8000011e35a0,ffff8000226c0a08,2438040a,0,0) >> at i >> p_output_ipsec_pmtu_update+0x71 >> ip_output_ipsec_send(ffff8000011e35a0,fffffd80b8735000,ffff8000226c0a08,1) >> at i >> p_output_ipsec_send+0x231 >> ip_output(fffffd80b8735000,0,ffff8000226c0a08,1,0,0,457ea326bbcaae85) at >> ip_out >> put+0x7ca >> ip_forward(fffffd80b8735000,ffff80000011e048,fffffd819089ce70,0) at >> ip_forward+ >> 0x2da >> ip_input_if(ffff8000226c0b48,ffff8000226c0b54,4,0,ffff80000011e048) at >> ip_input >> _if+0x353 >> ipv4_input(ffff80000011e048,fffffd80b8735000) at ipv4_input+0x39 >> ether_input(ffff80000011e048,fffffd80b8735000) at ether_input+0x3ad >> if_input_process(ffff80000011e048,ffff8000226c0c38) at if_input_process+0x6f >> ifiq_process(ffff80000011dc00) at ifiq_process+0x69 >> taskq_thread(ffff80000002e200) at taskq_thread+0x100 >> end trace frame: 0x0, count: -12 > > /usr/src/sys/net/route.c:1491 > 3773: 49 8b 0f mov (%r15),%rcx > 3776: 49 8b 47 08 mov 0x8(%r15),%rax > 377a: 48 85 c9 test %rcx,%rcx > 377d: 74 06 je 3785 <rt_timer_add+0xb5> > 377f: 48 83 c1 08 add $0x8,%rcx > 3783: eb 08 jmp 378d <rt_timer_add+0xbd> > 3785: 49 8b 4f 20 mov 0x20(%r15),%rcx > 3789: 48 83 c1 18 add $0x18,%rcx > 378d: 48 89 01 mov %rax,(%rcx) > 3790: 49 8b 07 mov (%r15),%rax > 3793: 49 8b 4f 08 mov 0x8(%r15),%rcx > * 3797: 48 89 01 mov %rax,(%rcx) > 379a: 49 c7 47 08 ff ff ff movq $0xffffffffffffffff,0x8(%r15) > 37a1: ff > 37a2: 49 c7 07 ff ff ff ff movq $0xffffffffffffffff,(%r15) > /usr/src/sys/net/route.c:1492 > > 1484 /* > 1485 * If there's already a timer with this action, destroy it > before > 1486 * we add a new one. > 1487 */ > 1488 LIST_FOREACH(r, &rt->rt_timer, rtt_link) { > 1489 if (r->rtt_func == func) { > 1490 LIST_REMOVE(r, rtt_link); > * 1491 TAILQ_REMOVE(&r->rtt_queue->rtq_head, r, > rtt_next); > 1492 if (r->rtt_queue->rtq_count > 0) > 1493 r->rtt_queue->rtq_count--; > 1494 else > 1495 printf("rt_timer_add: rtq_count > reached 0\n"); > 1496 pool_put(&rttimer_pool, r); > 1497 break; /* only one per list, so we can > quit... */ > 1498 } > 1499 } > > These lists don't look very MP safe. >