NetBSD Problem Report #59527
From www@netbsd.org Mon Jul 14 07:42:46 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 7D5421A923C
for <gnats-bugs@gnats.NetBSD.org>; Mon, 14 Jul 2025 07:42:46 +0000 (UTC)
Message-Id: <20250714074245.30C891A923E@mollari.NetBSD.org>
Date: Mon, 14 Jul 2025 07:42:45 +0000 (UTC)
From: ozaki-r@iij.ad.jp
Reply-To: ozaki-r@iij.ad.jp
To: gnats-bugs@NetBSD.org
Subject: Race condition on a rtentry being deleted asynchronously
X-Send-Pr-Version: www-1.0
>Number: 59527
>Category: kern
>Synopsis: Race condition on a rtentry being deleted asynchronously
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jul 14 07:45:00 +0000 2025
>Last-Modified: Tue Jul 29 09:40:01 +0000 2025
>Originator: Ryota Ozaki
>Release: current, 10, 9
>Organization:
IIJ
>Environment:
any
>Description:
If a rtentry is deleted asynchronously (this behavior is default now), objects referenced by the rtentry can be destroyed before the rtentry becomes unavailable.
For example, an address (ifaddr) can be deinitialized (not freed thanks to ifaref()) before its connected route is deleted, which means rt_ifa of the route can refer a deinitialized object. So accessing the ifaddr via rt_ifa can fail in some ways, say ifa_acquire(rt->rt_ifa).
The same problem can be applied to rt_ifp as well although it rarely happens compared to rt_ifa.
I don't know the issue can be problematic without NET_MPSAFE.
>How-To-Repeat:
With forwarding IPv4 packets over two interfaces, repeatedly assigning and deleting an address on the sink-side interface can cause a KASSERT failure on ifa_acquire(rt->rt_ifa) in ip_output().
>Fix:
There are several solutions for the issues:
- Avoid asynchronous route deletions
- Needs large amount of work for softint_lock tough
- Check ifaddr availability on every rt_ifa accesses
- It works but is awkward
- Avoid if_acquire(rt->rt_ifa)
- It is safe to access some variables of an ifaddr via rt->rt_ifa while the rtentry is alive because the ifaddr is not freed thanks to ifaref()
- Store an interface index in rtentry instead of ifp itself
- And get ifp by using if_get() every time
>Audit-Trail:
From: "Ryota Ozaki" <ozaki-r@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59527 CVS commit: src/sys/netinet
Date: Thu, 17 Jul 2025 06:48:39 +0000
Module Name: src
Committed By: ozaki-r
Date: Thu Jul 17 06:48:39 UTC 2025
Modified Files:
src/sys/netinet: ip_output.c
Log Message:
in: avoid racy ifa_acquire(rt->rt_ifa) in ip_output()
If a rtentry is being destroyed asynchronously, ifa referenced by rt_ifa
can be destructed and taking ifa_acquire(rt->rt_ifa) aborts with a
KASSERT failure. Fortunately, the ifa is not actually freed because of
a reference by rt_ifa, it can be available (except some functions like
psref) so as long the rtentry is held.
PR kern/59527
To generate a diff of this commit:
cvs rdiff -u -r1.329 -r1.330 src/sys/netinet/ip_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Ryota Ozaki" <ozaki-r@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59527 CVS commit: src/sys/netinet
Date: Thu, 17 Jul 2025 06:49:43 +0000
Module Name: src
Committed By: ozaki-r
Date: Thu Jul 17 06:49:43 UTC 2025
Modified Files:
src/sys/netinet: ip_input.c
Log Message:
in: avoid racy ia4_acquire(ifatoia(rt->rt_ifa) in ip_rtaddr()
Same as the case of ip_output(), it's racy and should be avoided.
PR kern/59527
To generate a diff of this commit:
cvs rdiff -u -r1.405 -r1.406 src/sys/netinet/ip_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59527 CVS commit: [netbsd-10] src/sys
Date: Tue, 29 Jul 2025 09:35:28 +0000
Module Name: src
Committed By: martin
Date: Tue Jul 29 09:35:28 UTC 2025
Modified Files:
src/sys/netinet [netbsd-10]: in_var.h ip_input.c ip_mroute.c
ip_output.c sctp_output.c
src/sys/netipsec [netbsd-10]: ipsecif.c xform_ipip.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1140):
sys/netinet/ip_output.c: revision 1.330
sys/netinet/sctp_output.c: revision 1.39
sys/netinet/ip_mroute.c: revision 1.166
sys/netipsec/ipsecif.c: revision 1.24
sys/netipsec/xform_ipip.c: revision 1.80
sys/netinet/ip_output.c: revision 1.327
sys/netinet/ip_output.c: revision 1.328
sys/netinet/ip_input.c: revision 1.406
sys/netinet/ip_output.c: revision 1.329
sys/netinet/in_var.h: revision 1.105
in: get rid of unused argument from ip_newid() and ip_newid_range()
in: take a reference of ifp on IP_ROUTETOIF
The ifp could be released after ia4_release(ia).
in: narrow the scope of ifa in ip_output (NFC)
sctp: follow the recent change of ip_newid()
in: avoid racy ifa_acquire(rt->rt_ifa) in ip_output()
If a rtentry is being destroyed asynchronously, ifa referenced by rt_ifa
can be destructed and taking ifa_acquire(rt->rt_ifa) aborts with a
KASSERT failure. Fortunately, the ifa is not actually freed because of
a reference by rt_ifa, it can be available (except some functions like
psref) so as long the rtentry is held.
PR kern/59527
in: avoid racy ia4_acquire(ifatoia(rt->rt_ifa) in ip_rtaddr()
Same as the case of ip_output(), it's racy and should be avoided.
PR kern/59527
To generate a diff of this commit:
cvs rdiff -u -r1.103 -r1.103.2.1 src/sys/netinet/in_var.h
cvs rdiff -u -r1.402.4.1 -r1.402.4.2 src/sys/netinet/ip_input.c
cvs rdiff -u -r1.165 -r1.165.4.1 src/sys/netinet/ip_mroute.c
cvs rdiff -u -r1.324.2.2 -r1.324.2.3 src/sys/netinet/ip_output.c
cvs rdiff -u -r1.33.2.1 -r1.33.2.2 src/sys/netinet/sctp_output.c
cvs rdiff -u -r1.21 -r1.21.2.1 src/sys/netipsec/ipsecif.c
cvs rdiff -u -r1.78 -r1.78.4.1 src/sys/netipsec/xform_ipip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home