kern/59596: ND resolution sends one more request than expected

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/59596: ND resolution sends one more request than expected
From: ozaki-r%iij.ad.jp@localhost
Date: Fri, 15 Aug 2025 03:20:01 +0000 (UTC)

>Number:         59596
>Category:       kern
>Synopsis:       ND resolution sends one more request than expected
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 15 03:20:01 +0000 2025
>Originator:     Ryota Ozaki
>Release:        current, 11 and 10
>Organization:
IIJ
>Environment:
any
>Description:
ARP requests are expected to be sent net.inet.arp.nd_bmaxtries times (three by default).
However, ARP requests are actually sent one more (four).

IPv6 ND also behaves the same way.
>How-To-Repeat:
kvm# tcpdump -ne -i vioif0 &
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vioif0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

kvm# ping -c 1 10.0.1.3
PING 10.0.1.3 (10.0.1.3): 56 data bytes
09:34:46.716454 52:54:00:bb:18:47 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.1.3 tell 10.0.1.1, length 28
09:34:47.709730 52:54:00:bb:18:47 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.1.3 tell 10.0.1.1, length 28
09:34:48.709767 52:54:00:bb:18:47 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.1.3 tell 10.0.1.1, length 28
09:34:49.709826 52:54:00:bb:18:47 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.1.3 tell 10.0.1.1, length 28
^C
----10.0.1.3 PING Statistics----
1 packets transmitted, 0 packets received, 100.0% packet loss
kvm# sysctl -w net.inet.arp.nd_bmaxtries=1
net.inet.arp.nd_bmaxtries: 3 -> 1
kvm#
kvm# ping -c 1 10.0.1.3
PING 10.0.1.3 (10.0.1.3): 56 data bytes
09:35:10.392690 52:54:00:bb:18:47 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.1.3 tell 10.0.1.1, length 28
09:35:11.386709 52:54:00:bb:18:47 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.1.3 tell 10.0.1.1, length 28

----10.0.1.3 PING Statistics----
1 packets transmitted, 0 packets received, 100.0% packet loss
kvm#

>Fix:
diff --git a/sys/net/nd.c b/sys/net/nd.c
index e0968baacaf..10c23cb58dd 100644
--- a/sys/net/nd.c
+++ b/sys/net/nd.c
@@ -85,9 +85,11 @@ nd_timer(void *arg)
 		break;
 
 	case ND_LLINFO_INCOMPLETE:
-		send_ns = true;
-		if (ln->ln_asked++ < nd->nd_mmaxtries)
+		if (ln->ln_asked < nd->nd_mmaxtries) {
+			ln->ln_asked++;
+			send_ns = true;
 			break;
+		}
 
 		if (ln->ln_hold) {
 			struct mbuf *m0, *mnxt;
@@ -116,10 +118,8 @@ nd_timer(void *arg)
 		break;
 
 	case ND_LLINFO_REACHABLE:
-		if (!ND_IS_LLINFO_PERMANENT(ln)) {
+		if (!ND_IS_LLINFO_PERMANENT(ln))
 			ln->ln_state = ND_LLINFO_STALE;
-			nd_set_timer(ln, ND_TIMER_GC);
-		}
 		break;
 
 	case ND_LLINFO_PURGE: /* FALLTHROUGH */
@@ -137,15 +137,14 @@ nd_timer(void *arg)
 			ln->ln_state = ND_LLINFO_PROBE;
 			send_ns = true;
 			daddrp = &taddr;
-		} else {
+		} else
 			ln->ln_state = ND_LLINFO_STALE;
-			nd_set_timer(ln, ND_TIMER_GC);
-		}
 		break;
 
 	case ND_LLINFO_PROBE:
-		send_ns = true;
-		if (ln->ln_asked++ < nd->nd_umaxtries) {
+		if (ln->ln_asked < nd->nd_umaxtries) {
+			ln->ln_asked++;
+			send_ns = true;
 			daddrp = &taddr;
 		} else {
 			ln->ln_state = ND_LLINFO_UNREACHABLE;
@@ -170,9 +169,11 @@ nd_timer(void *arg)
 		 * few applications would look at unreachability hints provided
 		 * such as ND_LLINFO_UNREACHABLE or RTM_MISS.
 		 */
-		send_ns = true;
-		if (ln->ln_asked++ < nd->nd_mmaxtries)
+		if (ln->ln_asked < nd->nd_mmaxtries) {
+			ln->ln_asked++;
+			send_ns = true;
 			break;
+		}
 
 		missed = ND_LLINFO_UNREACHABLE;
 		ln->ln_state = ND_LLINFO_WAITDELETE;
@@ -180,14 +181,18 @@ nd_timer(void *arg)
 		break;
 	}
 
+	if (ln != NULL) {
+		int type = ND_TIMER_RETRANS;
+		if (ln->ln_state == ND_LLINFO_WAITDELETE)
+			type = ND_TIMER_RETRANS_BACKOFF;
+		else if (ln->ln_state == ND_LLINFO_STALE)
+			type = ND_TIMER_GC;
+		nd_set_timer(ln, type);
+	}
 	if (send_ns) {
 		uint8_t lladdr[255], *lladdrp;
 		union l3addr src, *psrc;
 
-		if (ln->ln_state == ND_LLINFO_WAITDELETE)
-			nd_set_timer(ln, ND_TIMER_RETRANS_BACKOFF);
-		else
-			nd_set_timer(ln, ND_TIMER_RETRANS);
 		if (ln->ln_state > ND_LLINFO_INCOMPLETE &&
 		    ln->la_flags & LLE_VALID)
 		{

Prev by Date: Re: misc/59594: SSL checkflist build errors
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: Re: bin/59595 (sh(1) in -current breaks pkgsrc/net/libcmis configure)
Next by Thread: lib/59599: libc looses environment updates made during .so initialization
Indexes:

Home | Main Index | Thread Index | Old Index