NetBSD Problem Report #46697

From www@NetBSD.org  Fri Jul 13 06:07:57 2012
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id C952563BA6C
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 13 Jul 2012 06:07:56 +0000 (UTC)
Message-Id: <20120713060756.11DFC63B85F@www.NetBSD.org>
Date: Fri, 13 Jul 2012 06:07:56 +0000 (UTC)
From: 6bone@6bone.informatik.uni-leipzig.de
Reply-To: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Subject: netbsd-6 crash with IPF and ipv6
X-Send-Pr-Version: www-1.0

>Number:         46697
>Category:       kern
>Synopsis:       netbsd-6 crash with IPF and ipv6
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jul 13 06:10:00 +0000 2012
>Closed-Date:    Sun Feb 18 11:15:07 +0000 2018
>Last-Modified:  Sun Feb 18 11:15:07 +0000 2018
>Originator:     Uwe Toenjes
>Release:        netbsd6 beta2
>Organization:
University of Leipzig
>Environment:
NetBSD 6.0_BETA2 (amd64)
>Description:
the netbsd6-beta2 kernel sometimes crashes with:


fatal page fault in supervisor mode

trap type 6 code 0 rip ffffffff80300b91 cs 8 rflags 10202 cr2 20 cpl 4 rsp ffff 
fe8002dbb6d0
panic: trap
cpu0: Begin traceback...
printf_nolog() at netbsd:printf_nolog
startlwp() at netbsd:startlwp
alltraps() at netbsd:alltraps+0x9e
fr_checkicmp6matchingstate() at netbsd:fr_checkicmp6matchingstate+0xe8
fr_stlookup() at netbsd:fr_stlookup+0x813
fr_checkstate() at netbsd:fr_checkstate+0xa8
fr_check() at netbsd:fr_check+0x434
pfil_run_hooks() at netbsd:pfil_run_hooks+0x9d
ip6_input() at netbsd:ip6_input+0x718
ip6intr() at netbsd:ip6intr+0x77
softint_dispatch() at netbsd:softint_dispatch+0xd9
DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xfffffe8002dbbd70
Xsoftintr() at netbsd:Xsoftintr+0x4f

kernel dumps can be downloaded at

https://suse.uni-leipzig.de/netbsd.20.gz
https://suse.uni-leipzig.de/netbsd.20.core.gz

and

https://suse.uni-leipzig.de/netbsd.21.gz
https://suse.uni-leipzig.de/netbsd.21.core.gz

debug code is available at

https://suse.uni-leipzig.de/netbsd.gdb
https://suse.uni-leipzig.de/netbsd.map


the problem does not occur with a netbsd6-beta kernel
>How-To-Repeat:

>Fix:

>Release-Note:

>Audit-Trail:
From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/46697: netbsd6-beta2 crash
Date: Tue, 4 Dec 2012 07:41:27 +0100 (CET)

 The Problem also occurs with NetBSD 6.0_STABLE

From: Patrick Welche <prlw1@cam.ac.uk>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/46697
Date: Fri, 29 Apr 2016 17:17:28 +0100

 FWIW according to your coredump, the problem is at

 src/sys/dist/ipf/netinet/fil.c:759

    750                  case ICMP6_DST_UNREACH :
    751                  case ICMP6_PACKET_TOO_BIG :
    752                  case ICMP6_TIME_EXCEEDED :
    753                  case ICMP6_PARAM_PROB :
    754                          fin->fin_flx |= FI_ICMPERR;
    755                          minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t);
    756                          if (fin->fin_plen < ICMP6ERR_IPICMPHLEN)
    757                                  break;
    758  
    759                          if (M_LEN(fin->fin_m) < fin->fin_plen) {
    760                                  if (fr_coalesce(fin) != 1)
    761                                          return;
    762                          }

 where fin->fin_m = 0x0, so M_LEN(fin->fin_m) dereferences 0.

 (gdb) print *fin
 $1 = {fin_ifp = 0xfffffe803dcca008, fin_fi = {fi_v = 6, fi_xx = 0, fi_tos = 0, 
     fi_ttl = 126, fi_p = 58, fi_optmsk = 8, fi_src = {i6 = {1807811104, 11110, 
         0, 728132545}, in4 = {s_addr = 1807811104}, in6 = {__u6_addr = {
           __u6_addr8 = " \002\301kf+\000\000\000\000\000\000\301kf+", 
           __u6_addr16 = {544, 27585, 11110, 0, 0, 0, 27585, 11110}, 
           __u6_addr32 = {1807811104, 11110, 0, 728132545}}}, vptr = {
         0x2b666bc10220, 0x2b666bc100000000}, lptr = {0x2b666bc10220, 
         0x2b666bc100000000}, i6un = {type = 544, subtype = 27585, 
         label = "f+\000\000\000\000\000\000\301kf+"}}, fi_dst = {i6 = {288, 
         4252628318, 2184217380, 1280175939}, in4 = {s_addr = 288}, in6 = {
         __u6_addr = {__u6_addr8 = " \001\000\000^\365y\375$0\202CïML", 
           __u6_addr16 = {288, 0, 62814, 64889, 33572, 33328, 61251, 19533}, 
           __u6_addr32 = {288, 4252628318, 2184217380, 1280175939}}}, vptr = {
         0xfd79f55e00000120, 0x4c4def4382308324}, lptr = {0xfd79f55e00000120, 
         0x4c4def4382308324}, i6un = {type = 288, subtype = 0, 
         label = "^\365y\375$0\202CïML"}}, fi_secmsk = 0, fi_auth = 0, 
     fi_flx = 537465860, fi_tcpmsk = 0, fi_res1 = 0}, fin_dat = {fid_16 = {259, 
       0}, fid_32 = 259}, fin_out = 1, fin_rev = 0, fin_hlen = 40, 
   fin_tcpf = 0 '\000', fin_icode = 0 '\000', fin_rule = 4294967295, 
   fin_group = "\377", '\000' <repeats 14 times>, fin_fr = 0x0, 
   fin_dp = 0xfffffe802e81806e, fin_dlen = 53244, fin_plen = 53292, 
   fin_ipoff = 0, fin_id = 96, fin_off = 0, fin_depth = 0, fin_error = 51, 
   fin_cksum = 0, fin_pktnum = 0, fin_nattag = 0x0, 
   fin_exthdr = 0xfffffe802e818066, fin_ip = 0xfffffe802e81803e, fin_mp = 0x0, 
   fin_m = 0x0}

From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/46697
Date: Fri, 13 May 2016 07:48:57 +0200 (CEST)

   This message is in MIME format.  The first part should be readable text,
   while the remaining parts are likely unreadable without MIME-aware tools.

 --0-1170607802-1463118537=:25929
 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed
 Content-Transfer-Encoding: QUOTED-PRINTABLE

 perhaps it is the same problem as kern/50629? Christos Zoulas wrote a=20
 workaround and applied it to netbsd-7

 Regards
 Uwe

 On Fri, 29 Apr 2016, Patrick Welche wrote:

 > Date: Fri, 29 Apr 2016 16:20:01 +0000 (UTC)
 > From: Patrick Welche <prlw1@cam.ac.uk>
 > Reply-To: gnats-bugs@NetBSD.org
 > To: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
 >     netbsd-bugs@netbsd.org, 6bone@6bone.informatik.uni-leipzig.de
 > Subject: Re: kern/46697
 >=20
 > The following reply was made to PR kern/46697; it has been noted by GNATS=
 =2E
 >
 > From: Patrick Welche <prlw1@cam.ac.uk>
 > To: gnats-bugs@netbsd.org
 > Cc:
 > Subject: Re: kern/46697
 > Date: Fri, 29 Apr 2016 17:17:28 +0100
 >
 > FWIW according to your coredump, the problem is at
 >
 > src/sys/dist/ipf/netinet/fil.c:759
 >
 >    750                  case ICMP6_DST_UNREACH :
 >    751                  case ICMP6_PACKET_TOO_BIG :
 >    752                  case ICMP6_TIME_EXCEEDED :
 >    753                  case ICMP6_PARAM_PROB :
 >    754                          fin->fin_flx |=3D FI_ICMPERR;
 >    755                          minicmpsz =3D ICMP6ERR_IPICMPHLEN - sizeo=
 f(ip6_t);
 >    756                          if (fin->fin_plen < ICMP6ERR_IPICMPHLEN)
 >    757                                  break;
 >    758
 >    759                          if (M_LEN(fin->fin_m) < fin->fin_plen) {
 >    760                                  if (fr_coalesce(fin) !=3D 1)
 >    761                                          return;
 >    762                          }
 >
 > where fin->fin_m =3D 0x0, so M_LEN(fin->fin_m) dereferences 0.
 >
 > (gdb) print *fin
 > $1 =3D {fin_ifp =3D 0xfffffe803dcca008, fin_fi =3D {fi_v =3D 6, fi_xx =3D=
  0, fi_tos =3D 0,
 >     fi_ttl =3D 126, fi_p =3D 58, fi_optmsk =3D 8, fi_src =3D {i6 =3D {180=
 7811104, 11110,
 >         0, 728132545}, in4 =3D {s_addr =3D 1807811104}, in6 =3D {__u6_add=
 r =3D {
 >           __u6_addr8 =3D " \002\301kf+\000\000\000\000\000\000\301kf+",
 >           __u6_addr16 =3D {544, 27585, 11110, 0, 0, 0, 27585, 11110},
 >           __u6_addr32 =3D {1807811104, 11110, 0, 728132545}}}, vptr =3D {
 >         0x2b666bc10220, 0x2b666bc100000000}, lptr =3D {0x2b666bc10220,
 >         0x2b666bc100000000}, i6un =3D {type =3D 544, subtype =3D 27585,
 >         label =3D "f+\000\000\000\000\000\000\301kf+"}}, fi_dst =3D {i6 =
 =3D {288,
 >         4252628318, 2184217380, 1280175939}, in4 =3D {s_addr =3D 288}, in=
 6 =3D {
 >         __u6_addr =3D {__u6_addr8 =3D " \001\000\000^\365y\375$0\202C=EFM=
 L",
 >           __u6_addr16 =3D {288, 0, 62814, 64889, 33572, 33328, 61251, 195=
 33},
 >           __u6_addr32 =3D {288, 4252628318, 2184217380, 1280175939}}}, vp=
 tr =3D {
 >         0xfd79f55e00000120, 0x4c4def4382308324}, lptr =3D {0xfd79f55e0000=
 0120,
 >         0x4c4def4382308324}, i6un =3D {type =3D 288, subtype =3D 0,
 >         label =3D "^\365y\375$0\202C=EFML"}}, fi_secmsk =3D 0, fi_auth =
 =3D 0,
 >     fi_flx =3D 537465860, fi_tcpmsk =3D 0, fi_res1 =3D 0}, fin_dat =3D {f=
 id_16 =3D {259,
 >       0}, fid_32 =3D 259}, fin_out =3D 1, fin_rev =3D 0, fin_hlen =3D 40,
 >   fin_tcpf =3D 0 '\000', fin_icode =3D 0 '\000', fin_rule =3D 4294967295,
 >   fin_group =3D "\377", '\000' <repeats 14 times>, fin_fr =3D 0x0,
 >   fin_dp =3D 0xfffffe802e81806e, fin_dlen =3D 53244, fin_plen =3D 53292,
 >   fin_ipoff =3D 0, fin_id =3D 96, fin_off =3D 0, fin_depth =3D 0, fin_err=
 or =3D 51,
 >   fin_cksum =3D 0, fin_pktnum =3D 0, fin_nattag =3D 0x0,
 >   fin_exthdr =3D 0xfffffe802e818066, fin_ip =3D 0xfffffe802e81803e, fin_m=
 p =3D 0x0,
 >   fin_m =3D 0x0}
 >
 >
 --0-1170607802-1463118537=:25929--

From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/46697
Date: Mon, 15 Aug 2016 15:03:48 +0000

 On Fri, May 13, 2016 at 05:50:01AM +0000, 6bone@6bone.informatik.uni-leipzig.de wrote:
  >  perhaps it is the same problem as kern/50629? Christos Zoulas wrote a=20
  >  workaround and applied it to netbsd-7

 If it is, should we close the PR? :-)

 (Have you seen the problem since you got that fix? Or would you like
 the fix in -6?)

 -- 
 David A. Holland
 dholland@netbsd.org

From: 6bone@6bone.informatik.uni-leipzig.de
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/46697
Date: Fri, 19 Aug 2016 21:43:58 +0200 (CEST)

 On Mon, 15 Aug 2016, David Holland wrote:

 > If it is, should we close the PR? :-)
 >
 > (Have you seen the problem since you got that fix? Or would you like
 > the fix in -6?)

 I changed all systems which are using ipfilter to netbsd-7. There, the 
 patch has solved the problem.

 Under netbsd-6 I could not test the patch. The PR can be closed.


 Thank you for your efforts

 Regards
 Uwe

State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sun, 18 Feb 2018 11:15:07 +0000
State-Changed-Why:
Author said to close it.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.