routing: fix panic triggered by the 'gr_idx != 0' assert in nhg code
Nexthop groups can be referenced by the external code. The reference can be released after the VNET destruction. Furthermore, nexthop groups use a single per-rib lock, which is destroyed during the VNET desctruction. To eliminate use-after-free problem, each nhg is marked as "unlinked" during the VNET destruction stage, leaving nhg_idx intact. Normally there should not be such nexthops, but if there are any, the kernel will panic on 'gr_idx != 0' when the last nhg reference is released. Address this by using the assert checks only when the nexthop group is destroyed during "valid" VNET lifetime. MFC after: 3 days
This commit is contained in:
@@ -382,10 +382,11 @@ nhgrp_free(struct nhgrp_object *nhg)
|
||||
NET_EPOCH_EXIT(et);
|
||||
return;
|
||||
}
|
||||
MPASS((nhg_priv->nhg_idx == 0));
|
||||
MPASS((nhg_priv->nhg_refcount == 0));
|
||||
}
|
||||
NET_EPOCH_EXIT(et);
|
||||
|
||||
KASSERT((nhg_priv->nhg_idx == 0), ("gr_idx != 0"));
|
||||
NET_EPOCH_CALL(destroy_nhgrp_epoch, &nhg_priv->nhg_epoch_ctx);
|
||||
}
|
||||
|
||||
@@ -402,10 +403,6 @@ destroy_nhgrp_int(struct nhgrp_priv *nhg_priv)
|
||||
__noinline static void
|
||||
destroy_nhgrp(struct nhgrp_priv *nhg_priv)
|
||||
{
|
||||
|
||||
KASSERT((nhg_priv->nhg_refcount == 0), ("nhg_refcount != 0"));
|
||||
KASSERT((nhg_priv->nhg_idx == 0), ("gr_idx != 0"));
|
||||
|
||||
IF_DEBUG_LEVEL(LOG_DEBUG2) {
|
||||
char nhgbuf[NHOP_PRINT_BUFSIZE] __unused;
|
||||
FIB_NH_LOG(LOG_DEBUG2, nhg_priv->nhg_nh_weights[0].nh,
|
||||
|
||||
Reference in New Issue
Block a user