NetBSD Problem Report #46697
From www@NetBSD.org Fri Jul 13 06:07:57 2012
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id C952563BA6C
for <gnats-bugs@gnats.NetBSD.org>; Fri, 13 Jul 2012 06:07:56 +0000 (UTC)
Message-Id: <20120713060756.11DFC63B85F@www.NetBSD.org>
Date: Fri, 13 Jul 2012 06:07:56 +0000 (UTC)
From: 6bone@6bone.informatik.uni-leipzig.de
Reply-To: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Subject: netbsd-6 crash with IPF and ipv6
X-Send-Pr-Version: www-1.0
>Number: 46697
>Category: kern
>Synopsis: netbsd-6 crash with IPF and ipv6
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jul 13 06:10:00 +0000 2012
>Closed-Date: Sun Feb 18 11:15:07 +0000 2018
>Last-Modified: Sun Feb 18 11:15:07 +0000 2018
>Originator: Uwe Toenjes
>Release: netbsd6 beta2
>Organization:
University of Leipzig
>Environment:
NetBSD 6.0_BETA2 (amd64)
>Description:
the netbsd6-beta2 kernel sometimes crashes with:
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff80300b91 cs 8 rflags 10202 cr2 20 cpl 4 rsp ffff
fe8002dbb6d0
panic: trap
cpu0: Begin traceback...
printf_nolog() at netbsd:printf_nolog
startlwp() at netbsd:startlwp
alltraps() at netbsd:alltraps+0x9e
fr_checkicmp6matchingstate() at netbsd:fr_checkicmp6matchingstate+0xe8
fr_stlookup() at netbsd:fr_stlookup+0x813
fr_checkstate() at netbsd:fr_checkstate+0xa8
fr_check() at netbsd:fr_check+0x434
pfil_run_hooks() at netbsd:pfil_run_hooks+0x9d
ip6_input() at netbsd:ip6_input+0x718
ip6intr() at netbsd:ip6intr+0x77
softint_dispatch() at netbsd:softint_dispatch+0xd9
DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xfffffe8002dbbd70
Xsoftintr() at netbsd:Xsoftintr+0x4f
kernel dumps can be downloaded at
https://suse.uni-leipzig.de/netbsd.20.gz
https://suse.uni-leipzig.de/netbsd.20.core.gz
and
https://suse.uni-leipzig.de/netbsd.21.gz
https://suse.uni-leipzig.de/netbsd.21.core.gz
debug code is available at
https://suse.uni-leipzig.de/netbsd.gdb
https://suse.uni-leipzig.de/netbsd.map
the problem does not occur with a netbsd6-beta kernel
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/46697: netbsd6-beta2 crash
Date: Tue, 4 Dec 2012 07:41:27 +0100 (CET)
The Problem also occurs with NetBSD 6.0_STABLE
From: Patrick Welche <prlw1@cam.ac.uk>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/46697
Date: Fri, 29 Apr 2016 17:17:28 +0100
FWIW according to your coredump, the problem is at
src/sys/dist/ipf/netinet/fil.c:759
750 case ICMP6_DST_UNREACH :
751 case ICMP6_PACKET_TOO_BIG :
752 case ICMP6_TIME_EXCEEDED :
753 case ICMP6_PARAM_PROB :
754 fin->fin_flx |= FI_ICMPERR;
755 minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t);
756 if (fin->fin_plen < ICMP6ERR_IPICMPHLEN)
757 break;
758
759 if (M_LEN(fin->fin_m) < fin->fin_plen) {
760 if (fr_coalesce(fin) != 1)
761 return;
762 }
where fin->fin_m = 0x0, so M_LEN(fin->fin_m) dereferences 0.
(gdb) print *fin
$1 = {fin_ifp = 0xfffffe803dcca008, fin_fi = {fi_v = 6, fi_xx = 0, fi_tos = 0,
fi_ttl = 126, fi_p = 58, fi_optmsk = 8, fi_src = {i6 = {1807811104, 11110,
0, 728132545}, in4 = {s_addr = 1807811104}, in6 = {__u6_addr = {
__u6_addr8 = " \002\301kf+\000\000\000\000\000\000\301kf+",
__u6_addr16 = {544, 27585, 11110, 0, 0, 0, 27585, 11110},
__u6_addr32 = {1807811104, 11110, 0, 728132545}}}, vptr = {
0x2b666bc10220, 0x2b666bc100000000}, lptr = {0x2b666bc10220,
0x2b666bc100000000}, i6un = {type = 544, subtype = 27585,
label = "f+\000\000\000\000\000\000\301kf+"}}, fi_dst = {i6 = {288,
4252628318, 2184217380, 1280175939}, in4 = {s_addr = 288}, in6 = {
__u6_addr = {__u6_addr8 = " \001\000\000^\365y\375$0\202CïML",
__u6_addr16 = {288, 0, 62814, 64889, 33572, 33328, 61251, 19533},
__u6_addr32 = {288, 4252628318, 2184217380, 1280175939}}}, vptr = {
0xfd79f55e00000120, 0x4c4def4382308324}, lptr = {0xfd79f55e00000120,
0x4c4def4382308324}, i6un = {type = 288, subtype = 0,
label = "^\365y\375$0\202CïML"}}, fi_secmsk = 0, fi_auth = 0,
fi_flx = 537465860, fi_tcpmsk = 0, fi_res1 = 0}, fin_dat = {fid_16 = {259,
0}, fid_32 = 259}, fin_out = 1, fin_rev = 0, fin_hlen = 40,
fin_tcpf = 0 '\000', fin_icode = 0 '\000', fin_rule = 4294967295,
fin_group = "\377", '\000' <repeats 14 times>, fin_fr = 0x0,
fin_dp = 0xfffffe802e81806e, fin_dlen = 53244, fin_plen = 53292,
fin_ipoff = 0, fin_id = 96, fin_off = 0, fin_depth = 0, fin_error = 51,
fin_cksum = 0, fin_pktnum = 0, fin_nattag = 0x0,
fin_exthdr = 0xfffffe802e818066, fin_ip = 0xfffffe802e81803e, fin_mp = 0x0,
fin_m = 0x0}
From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/46697
Date: Fri, 13 May 2016 07:48:57 +0200 (CEST)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--0-1170607802-1463118537=:25929
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
perhaps it is the same problem as kern/50629? Christos Zoulas wrote a=20
workaround and applied it to netbsd-7
Regards
Uwe
On Fri, 29 Apr 2016, Patrick Welche wrote:
> Date: Fri, 29 Apr 2016 16:20:01 +0000 (UTC)
> From: Patrick Welche <prlw1@cam.ac.uk>
> Reply-To: gnats-bugs@NetBSD.org
> To: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
> netbsd-bugs@netbsd.org, 6bone@6bone.informatik.uni-leipzig.de
> Subject: Re: kern/46697
>=20
> The following reply was made to PR kern/46697; it has been noted by GNATS=
=2E
>
> From: Patrick Welche <prlw1@cam.ac.uk>
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: kern/46697
> Date: Fri, 29 Apr 2016 17:17:28 +0100
>
> FWIW according to your coredump, the problem is at
>
> src/sys/dist/ipf/netinet/fil.c:759
>
> 750 case ICMP6_DST_UNREACH :
> 751 case ICMP6_PACKET_TOO_BIG :
> 752 case ICMP6_TIME_EXCEEDED :
> 753 case ICMP6_PARAM_PROB :
> 754 fin->fin_flx |=3D FI_ICMPERR;
> 755 minicmpsz =3D ICMP6ERR_IPICMPHLEN - sizeo=
f(ip6_t);
> 756 if (fin->fin_plen < ICMP6ERR_IPICMPHLEN)
> 757 break;
> 758
> 759 if (M_LEN(fin->fin_m) < fin->fin_plen) {
> 760 if (fr_coalesce(fin) !=3D 1)
> 761 return;
> 762 }
>
> where fin->fin_m =3D 0x0, so M_LEN(fin->fin_m) dereferences 0.
>
> (gdb) print *fin
> $1 =3D {fin_ifp =3D 0xfffffe803dcca008, fin_fi =3D {fi_v =3D 6, fi_xx =3D=
0, fi_tos =3D 0,
> fi_ttl =3D 126, fi_p =3D 58, fi_optmsk =3D 8, fi_src =3D {i6 =3D {180=
7811104, 11110,
> 0, 728132545}, in4 =3D {s_addr =3D 1807811104}, in6 =3D {__u6_add=
r =3D {
> __u6_addr8 =3D " \002\301kf+\000\000\000\000\000\000\301kf+",
> __u6_addr16 =3D {544, 27585, 11110, 0, 0, 0, 27585, 11110},
> __u6_addr32 =3D {1807811104, 11110, 0, 728132545}}}, vptr =3D {
> 0x2b666bc10220, 0x2b666bc100000000}, lptr =3D {0x2b666bc10220,
> 0x2b666bc100000000}, i6un =3D {type =3D 544, subtype =3D 27585,
> label =3D "f+\000\000\000\000\000\000\301kf+"}}, fi_dst =3D {i6 =
=3D {288,
> 4252628318, 2184217380, 1280175939}, in4 =3D {s_addr =3D 288}, in=
6 =3D {
> __u6_addr =3D {__u6_addr8 =3D " \001\000\000^\365y\375$0\202C=EFM=
L",
> __u6_addr16 =3D {288, 0, 62814, 64889, 33572, 33328, 61251, 195=
33},
> __u6_addr32 =3D {288, 4252628318, 2184217380, 1280175939}}}, vp=
tr =3D {
> 0xfd79f55e00000120, 0x4c4def4382308324}, lptr =3D {0xfd79f55e0000=
0120,
> 0x4c4def4382308324}, i6un =3D {type =3D 288, subtype =3D 0,
> label =3D "^\365y\375$0\202C=EFML"}}, fi_secmsk =3D 0, fi_auth =
=3D 0,
> fi_flx =3D 537465860, fi_tcpmsk =3D 0, fi_res1 =3D 0}, fin_dat =3D {f=
id_16 =3D {259,
> 0}, fid_32 =3D 259}, fin_out =3D 1, fin_rev =3D 0, fin_hlen =3D 40,
> fin_tcpf =3D 0 '\000', fin_icode =3D 0 '\000', fin_rule =3D 4294967295,
> fin_group =3D "\377", '\000' <repeats 14 times>, fin_fr =3D 0x0,
> fin_dp =3D 0xfffffe802e81806e, fin_dlen =3D 53244, fin_plen =3D 53292,
> fin_ipoff =3D 0, fin_id =3D 96, fin_off =3D 0, fin_depth =3D 0, fin_err=
or =3D 51,
> fin_cksum =3D 0, fin_pktnum =3D 0, fin_nattag =3D 0x0,
> fin_exthdr =3D 0xfffffe802e818066, fin_ip =3D 0xfffffe802e81803e, fin_m=
p =3D 0x0,
> fin_m =3D 0x0}
>
>
--0-1170607802-1463118537=:25929--
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/46697
Date: Mon, 15 Aug 2016 15:03:48 +0000
On Fri, May 13, 2016 at 05:50:01AM +0000, 6bone@6bone.informatik.uni-leipzig.de wrote:
> perhaps it is the same problem as kern/50629? Christos Zoulas wrote a=20
> workaround and applied it to netbsd-7
If it is, should we close the PR? :-)
(Have you seen the problem since you got that fix? Or would you like
the fix in -6?)
--
David A. Holland
dholland@netbsd.org
From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/46697
Date: Fri, 19 Aug 2016 21:43:58 +0200 (CEST)
On Mon, 15 Aug 2016, David Holland wrote:
> If it is, should we close the PR? :-)
>
> (Have you seen the problem since you got that fix? Or would you like
> the fix in -6?)
I changed all systems which are using ipfilter to netbsd-7. There, the
patch has solved the problem.
Under netbsd-6 I could not test the patch. The PR can be closed.
Thank you for your efforts
Regards
Uwe
State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sun, 18 Feb 2018 11:15:07 +0000
State-Changed-Why:
Author said to close it.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.