NetBSD Problem Report #47576

From t-hash@abox3.so-net.ne.jp  Mon Feb 18 13:11:41 2013
Return-Path: <t-hash@abox3.so-net.ne.jp>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id 345CA63E500
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 18 Feb 2013 13:11:41 +0000 (UTC)
Message-Id: <201302181311.r1IDBZWi011770@ms-omx12.plus.so-net.ne.jp>
Date: Mon, 18 Feb 2013 22:11:35 +0900
From: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>
To: gnats-bugs@gnats.NetBSD.org
Subject: deleting interface that does not have ipv6 link-local address causes kernel panic

>Number:         47576
>Category:       kern
>Synopsis:       deleting interface that does not have ipv6 link-local address causes kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 18 13:15:00 +0000 2013
>Closed-Date:    Thu Aug 08 22:02:41 +0000 2013
>Last-Modified:  Thu Aug 08 22:02:41 +0000 2013
>Originator:     Takahiro HAYASHI
>Release:        NetBSD 6.99.16
>Organization:
>Environment:
System: NetBSD ruin 6.99.16 NetBSD 6.99.16 (MONOLITHIC) #0: Wed Feb 13 13:56:34 UTC 2013 builds@b7.netbsd.org:/home/builds/ab/HEAD/i386/201302130710Z-obj/home/builds/ab/HEAD/src/sys/arch/i386/compile/MONOLITHIC i386
Architecture: i386
Machine: i386
>Description:
	Deleting interface that does not have ipv6 link-local address
	causes kernel panic.
	Unplug'ing USB ethernet adapter that does not have ipv6
	link-local address also causes panic.

# ifconfig tap0 create up
# ifconfig tap0
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ec_capabilities=5<VLAN_MTU,JUMBO_MTU>
        ec_enabled=0
        address: f2:0b:a4:4c:05:7e
        media: Ethernet autoselect
        inet6 fe80::f00b:a4ff:fe4c:57e%tap0 prefixlen 64 scopeid 0x4
# ifconfig tap0 inet6 `ifconfig tap0|grep fe80|awk '{print $2}'` delete
# ifconfig tap0
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ec_capabilities=5<VLAN_MTU,JUMBO_MTU>
        ec_enabled=0
        address: f2:0b:a4:4c:05:7e
        media: Ethernet autoselect
# ifconfig tap0 destroy
uvm_fault(0xc1fc9eec, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c06457fc cs 8 eflags 10246 cr2 10 ilevel 6 esp 4
curlwp 0xc1fb9560 pid 402 lid 1 lowest kstack 0xd87b3000
kernel: supervisor trap page fault, code=0
Stopped in pid 402.1 (ifconfig) at      netbsd:prelist_remove+0xd2:     movl    1
0(%esi),%edx
db{0}> bt
prelist_remove(c1c9f084,d87b5900,c1c49320,d87b586c,c04d0629,c1c49320,c1c49320,c0
766c70,c1c49320,c1c49320) at netbsd:prelist_remove+0xd2
nd6_purge(c1c49320,c1c49320,c0766c70,c1c49320,c1c49320,0,d87b586c,c04cbce0,c1c49
320,d87b5900) at netbsd:nd6_purge+0x105
in6_ifdetach(c1c49320,c1c49320,c04cea91,c0ce02a0,ffffffff,c1ee27a0,c1fb9560,1,c1
fb9560,c1c49320) at netbsd:in6_ifdetach+0x1c
udp6_usrreq(d87b5900,16,0,0,c1c49320,c1fb9560,c1c49320,d87b5a60,c03b1c89,d87b590
0) at netbsd:udp6_usrreq+0x275
udp6_usrreq_wrapper(d87b5900,16,0,0,c1c49320,c1fb9560,d87b5900,0,0,0) at netbsd:
udp6_usrreq_wrapper+0x41
if_detach(c1c49320,4,12,455,0,ffffffff,0,c0c749a0,c1b8f040,c0cdf820) at netbsd:i
f_detach+0x203
tap_detach(c1b8f040,0,c0bb1bc5,d87b5ad4,c03b0010,c1c0e000,c0bb1bc1,3,c1c49320,c1
c0e000) at netbsd:tap_detach+0xc3
config_detach(c1b8f040,0,80906979,0,c1c49320,d87b5bd4,c03b2c06,c1b8f040,4,14) at
 netbsd:config_detach+0xc4
tap_clone_destroyer(c1b8f040,4,14,c1c49320,80906979,0,0,c1fb9560,c1b87618,c1c0e0
00) at netbsd:tap_clone_destroyer+0x26
ifioctl(c1fd17cc,80906979,c1c0e000,c1fb9560,0,c1022980,d87b5c24,80906979,d87b5d0
0,c1c2b440) at netbsd:ifioctl+0x430
soo_ioctl(c1c2b440,80906979,c1c0e000,c1feae1c,c1feae40,c1fead80,d87b5c48,c055dd7
d,90,c1fead80) at netbsd:soo_ioctl+0x2c5
sys_ioctl(c1fb9560,d87b5d00,d87b5d28,c1fc9eec,0,36,c1ca21b4,d87b5d00,3,80906979)
 at netbsd:sys_ioctl+0x1b2
syscall() at netbsd:syscall+0x89
--- syscall (number 54) ---
bbb3ef27:
db{0}> 

>How-To-Repeat:
	Type following commands.

	ifconfig tap0 create up
	ifconfig tap0 inet6 `ifconfig tap0|grep fe80|awk '{print $2}'` delete
	ifconfig tap0 destroy
>Fix:
	Not known.
	You can avoid panic by adding ipv6 link-local address before
	you delete the interface.

--
t-hash

>Release-Note:

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47576 CVS commit: src/sys/netinet6
Date: Mon, 18 Feb 2013 11:45:51 -0500

 Module Name:	src
 Committed By:	christos
 Date:		Mon Feb 18 16:45:50 UTC 2013

 Modified Files:
 	src/sys/netinet6: nd6_rtr.c

 Log Message:
 PR/47576: Takahiro HAYASHI: Avoid crash destroying tap0 after deleting
 it's link-local address.


 To generate a diff of this commit:
 cvs rdiff -u -r1.85 -r1.86 src/sys/netinet6/nd6_rtr.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 18 Feb 2013 23:35:52 +0000
State-Changed-Why:
Christos fixed it. And since AFAICT the wrong code isn't in netbsd-6,
there looks to be no need for pullups.


From: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, netbsd-bugs@NetBSD.org, gnats-admin@NetBSD.org,
        dholland@NetBSD.org
Subject: Re: kern/47576 (deleting interface that does not have ipv6 link-local address causes kernel panic)
Date: Wed, 31 Jul 2013 20:09:28 +0900

 On Mon, 18 Feb 2013 23:35:53 +0000 (UTC)
 dholland@NetBSD.org wrote:

 > Synopsis: deleting interface that does not have ipv6 link-local address causes kernel panic
 > 
 > State-Changed-From-To: open->closed
 > State-Changed-By: dholland@NetBSD.org
 > State-Changed-When: Mon, 18 Feb 2013 23:35:52 +0000
 > State-Changed-Why:
 > Christos fixed it. And since AFAICT the wrong code isn't in netbsd-6,
 > there looks to be no need for pullups.

 This need to be pulled-up to netbsd-6{,-0,-1}.

 ipv6 DoS attack avoidance is now pulled-up to netbsd-6*, but this
 revision of nd6_rtr.c does not include diff -r1.85 -r1.86.
 http://mail-index.netbsd.org/source-changes/2013/07/08/msg045300.html


From: Masanobu SAITOH <msaitoh@execsw.org>
To: gnats-bugs@NetBSD.org
Cc: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>, 
 kern-bug-people@netbsd.org, gnats-admin@netbsd.org, 
 netbsd-bugs@netbsd.org, msaitoh@execsw.org
Subject: Re: kern/47576 (deleting interface that does not have ipv6 link-local
 address causes kernel panic)
Date: Thu, 01 Aug 2013 12:39:34 +0900

 (2013/07/31 20:10), Takahiro HAYASHI wrote:
 > The following reply was made to PR kern/47576; it has been noted by GNATS.
 > 
 > From: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>
 > To: gnats-bugs@NetBSD.org
 > Cc: kern-bug-people@NetBSD.org, netbsd-bugs@NetBSD.org, gnats-admin@NetBSD.org,
 >          dholland@NetBSD.org
 > Subject: Re: kern/47576 (deleting interface that does not have ipv6 link-local address causes kernel panic)
 > Date: Wed, 31 Jul 2013 20:09:28 +0900
 > 
 >   On Mon, 18 Feb 2013 23:35:53 +0000 (UTC)
 >   dholland@NetBSD.org wrote:
 >   
 >   > Synopsis: deleting interface that does not have ipv6 link-local address causes kernel panic
 >   >
 >   > State-Changed-From-To: open->closed
 >   > State-Changed-By: dholland@NetBSD.org
 >   > State-Changed-When: Mon, 18 Feb 2013 23:35:52 +0000
 >   > State-Changed-Why:
 >   > Christos fixed it. And since AFAICT the wrong code isn't in netbsd-6,
 >   > there looks to be no need for pullups.
 >   
 >   This need to be pulled-up to netbsd-6{,-0,-1}.
 >   
 >   ipv6 DoS attack avoidance is now pulled-up to netbsd-6*, but this
 >   revision of nd6_rtr.c does not include diff -r1.85 -r1.86.
 >   http://mail-index.netbsd.org/source-changes/2013/07/08/msg045300.html
 >   

 I sent the pullup request now.

 	http://releng.netbsd.org/cgi-bin/req-6.cgi?show=926

 -- 
 -----------------------------------------------
                 SAITOH Masanobu (msaitoh@execsw.org
                                  msaitoh@netbsd.org)

State-Changed-From-To: closed->pending-pullups
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 02 Aug 2013 04:41:42 +0000
State-Changed-Why:
pullup-6 #926


From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47576 CVS commit: [netbsd-6-0] src/sys/netinet6
Date: Thu, 8 Aug 2013 21:55:19 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Thu Aug  8 21:55:19 UTC 2013

 Modified Files:
 	src/sys/netinet6 [netbsd-6-0]: nd6_rtr.c

 Log Message:
 Pull up following revision(s) (requested by msaitoh in ticket #926):
 	sys/netinet6/nd6_rtr.c: revision 1.86
 PR/47576: Takahiro HAYASHI: Avoid crash destroying tap0 after deleting
 it's link-local address.


 To generate a diff of this commit:
 cvs rdiff -u -r1.82.8.2 -r1.82.8.3 src/sys/netinet6/nd6_rtr.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47576 CVS commit: [netbsd-6-1] src/sys/netinet6
Date: Thu, 8 Aug 2013 21:57:40 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Thu Aug  8 21:57:40 UTC 2013

 Modified Files:
 	src/sys/netinet6 [netbsd-6-1]: nd6_rtr.c

 Log Message:
 Pull up following revision(s) (requested by msaitoh in ticket #926):
 	sys/netinet6/nd6_rtr.c: revision 1.86
 PR/47576: Takahiro HAYASHI: Avoid crash destroying tap0 after deleting
 it's link-local address.


 To generate a diff of this commit:
 cvs rdiff -u -r1.82.10.2 -r1.82.10.3 src/sys/netinet6/nd6_rtr.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47576 CVS commit: [netbsd-6] src/sys/netinet6
Date: Thu, 8 Aug 2013 21:58:55 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Thu Aug  8 21:58:55 UTC 2013

 Modified Files:
 	src/sys/netinet6 [netbsd-6]: nd6_rtr.c

 Log Message:
 Pull up following revision(s) (requested by msaitoh in ticket #926):
 	sys/netinet6/nd6_rtr.c: revision 1.86
 PR/47576: Takahiro HAYASHI: Avoid crash destroying tap0 after deleting
 it's link-local address.


 To generate a diff of this commit:
 cvs rdiff -u -r1.82.4.2 -r1.82.4.3 src/sys/netinet6/nd6_rtr.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: pending-pullups->closed
State-Changed-By: snj@NetBSD.org
State-Changed-When: Thu, 08 Aug 2013 22:02:41 +0000
State-Changed-Why:
Pulled up.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.