NetBSD Problem Report #8994
Received: (qmail 4279 invoked from network); 15 Dec 1999 21:04:05 -0000
Message-Id: <19991215210402.4EFD829@pueblo.research.att.com>
Date: Wed, 15 Dec 1999 16:04:02 -0500 (EST)
From: smb@pueblo.research.att.com
Reply-To: smb@research.att.com
To: gnats-bugs@gnats.netbsd.org
Subject: 'ping' on eon0 panics the system
X-Send-Pr-Version: 3.95
>Number: 8994
>Category: kern
>Synopsis: 'ping' on eon0 panics the system
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: analyzed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Dec 15 13:06:01 +0000 1999
>Closed-Date:
>Last-Modified: Sat Nov 12 16:00:09 +0000 2005
>Originator: Steven M. Bellovin
>Release: Comdex snapshot
>Organization:
>Environment:
System: NetBSD pueblo.research.att.com 1.4M NetBSD 1.4M (PUEBLO) #2: Wed Dec 15 15:47:15 EST 1999 smb@pueblo.research.att.com:/usr/src/sys/arch/i386/compile/PUEBLO i386
>Description:
Attempting to use the eon0 interface can crash the system.
This latest time, at least, there was no core dump; however,
the machine did reboot. The problem is reproducible.
>How-To-Repeat:
# ifconfig eon0 192.168.1.1
# ping 192.168.1.2
>Fix:
>Release-Note:
>Audit-Trail:
From: itojun@iijlab.net
To: smb@research.att.com
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: kern/8994: 'ping' on eon0 crashes the system
Date: Thu, 16 Dec 1999 06:15:38 +0900
>>Number: 8994
>>Category: kern
>>Synopsis: 'ping' on eon0 crashes the system
>>Description:
> Attempting to use the eon0 interface can crash the system.
> This latest time, at least, there was no core dump; however,
> the machine did reboot. The problem is reproducible.
>>How-To-Repeat:
> # ifconfig eon0 192.168.1.1
> # ping 192.168.1.2
I belive this is same as PR8990. Please grab latest net/if_loop.c.
itojun
From: "Steven M. Bellovin" <smb@research.att.com>
To: itojun@iijlab.net
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: kern/8994: 'ping' on eon0 crashes the system
Date: Wed, 15 Dec 1999 17:59:44 -0500
In message <24812.945292538@coconut.itojun.org>, itojun@iijlab.net writes:
>
> >>Number: 8994
> >>Category: kern
> >>Synopsis: 'ping' on eon0 crashes the system
> >>Description:
> > Attempting to use the eon0 interface can crash the system.
> > This latest time, at least, there was no core dump; however,
> > the machine did reboot. The problem is reproducible.
> >>How-To-Repeat:
> > # ifconfig eon0 192.168.1.1
> > # ping 192.168.1.2
>
> I belive this is same as PR8990. Please grab latest net/if_loop.c.
I installed that version with my existing kernel and retried the test. It
still crashed the machine.
--Steve Bellovin
From: itojun@iijlab.net
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: kern/8994: 'ping' on eon0 crashes the system
Date: Thu, 16 Dec 1999 08:21:16 +0900
>> I belive this is same as PR8990. Please grab latest net/if_loop.c.
>I installed that version with my existing kernel and retried the test. It
>still crashed the machine.
pls try adding:
m->m_pkthdr.rcvif = NULL;
before ip_output() in eonoutput(). it should be ipsec issue.
itojun
From: itojun@iijlab.net
To: "Steven M. Bellovin" <smb@research.att.com>, gnats-bugs@gnats.netbsd.org
Cc: Subject: Re: kern/8994: 'ping' on eon0 crashes the system
Date: Thu, 16 Dec 1999 08:41:39 +0900
>>> I belive this is same as PR8990. Please grab latest net/if_loop.c.
>>I installed that version with my existing kernel and retried the test. It
>>still crashed the machine.
> pls try adding:
> m->m_pkthdr.rcvif = NULL;
> before ip_output() in eonoutput(). it should be ipsec issue.
sorry this was not enough. this seems to be very new problem.
itojun
From: "Steven M. Bellovin" <smb@research.att.com>
To: itojun@iijlab.net
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: kern/8994: 'ping' on eon0 crashes the system
Date: Wed, 15 Dec 1999 21:49:06 -0500
In message <26644.945301299@coconut.itojun.org>, itojun@iijlab.net writes:
>
> >>> I belive this is same as PR8990. Please grab latest net/if_loop.c.
> >>I installed that version with my existing kernel and retried the test. It
> >>still crashed the machine.
> > pls try adding:
> > m->m_pkthdr.rcvif = NULL;
> > before ip_output() in eonoutput(). it should be ipsec issue.
>
> sorry this was not enough. this seems to be very new problem.
Right, I already learned that... It's not an urgent problem, of course, since
I have no need for the eon driver. But I'm clearly not the only one who has
seen a crash (possibly) attributable to this, when running dhclient.
I've backed out this change; I'm still running the newest if_loop.c
--Steve Bellovin
From: "Steven M. Bellovin" <smb@research.att.com>
To: gnats-bugs@netbsd.org
Cc: Subject: Re: kern/8994: 'ping' on eon0 crashes the system
Date: Wed, 15 Dec 1999 22:50:53 -0500
It was pointed out to me that I didn't include boot messages or console
messages. The boot messages are below; there were no console messages and no
dump...
NetBSD 1.4M (PUEBLO) #5: Wed Dec 15 21:37:27 EST 1999
root@pueblo.research.att.com:/usr/src/sys/arch/i386/compile/PUEBLO
cpu0: family 5 model 2 step c
cpu0: Intel Pentium (P54C) (586-class)
total memory = 73344 KB
avail memory = 63904 KB
using 942 buffers containing 3768 KB of memory
mainbus0 (root)
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o enabled, memory enabled
pchb0 at pci0 dev 0 function 0
pchb0: Intel 82437MX Mobile System Controller (MTSC) (rev. 0x02)
pcib0 at pci0 dev 1 function 0
pcib0: Intel 82371MX Mobile PCI I/O IDE Xcelerator (MPIIX) (rev. 0x03)
vga1 at pci0 dev 3 function 0: Trident Microsystems TGUI 9660 (rev. 0xd3)
wsdisplay0 at vga1: console (80x25, vt100 emulation)
pcic0 at pci0 dev 19 function 0: Cirrus Logic PD6729 PCMCIA controller
pcic0: controller 0 (Cirrus PD672X) has sockets A and B
pcic0: interrupting at irq 3
isa0 at pcib0
com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
com1 at isa0 port 0x2f8-0x2ff irq 3: ns16550a, working fifo
wdc0 at isa0 port 0x1f0-0x1f7 irq 14
wd0 at wdc0 channel 0 drive 0: <IBM-DADA-26480>
wd0: drive supports 16-sector pio transfers, lba addressing
wd0: 6194MB, 13424 cyl, 15 head, 63 sec, 512 bytes/sect x 12685680 sectors
wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 2
lpt2 at isa0 port 0x3bc-0x3bf: polled
sb0 at isa0 port 0x220-0x237 irq 5 drq 1: dsp v3.01
audio0 at sb0: half duplex
midi0 at sb0: SB MIDI UART
opl0 at sb0: model OPL3
midi1 at opl0: SB Yamaha OPL3
pckbc0 at isa0 port 0x60-0x64
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi2 at pcppi0: PC speaker
sysbeep0 at pcppi0
isapnp0 at isa0 port 0x279: ISA Plug 'n Play device support
npx0 at isa0 port 0xf0-0xff: using exception 16
fdc0 at isa0 port 0x3f0-0x3f7 irq 6 drq 2
isapnp0: no ISA Plug 'n Play devices found
pcmcia0 at pcic0 controller 0 socket 0
pcmcia1 at pcic0 controller 0 socket 1
pcmcia1: CIS version PCMCIA 2.0 or 2.1
pcmcia1: CIS info: 3Com Corporation, 3C589D, TP/BNC LAN Card Ver. 2a, 000002
pcmcia1: Manufacturer code 0x101, product 0x589
pcmcia1: function 0: network adapter, ccr addr 10000 mask 3
pcmcia1: function 0, config table entry 1: I/O card; irq mask ffff; iomask 4, iospace 0; rdybsy_active wp_active bvd_active io8 io16 irqlevel
pcmcia1: function 0, config table entry 3: I/O card; irq mask ffff; iomask 4, iospace 0; rdybsy_active wp_active bvd_active io8 io16 irqlevel
ep1 at pcmcia1 function 0 port 0x400-0x40f: 3Com 3c589 10Mbps Ethernet
ep1: supplying EUI64: 00:10:4b:ff:fe:ed:22:be
ep1: address 00:10:4b:ed:22:be, 8KB byte-wide FIFO, 5:3 Rx:Tx split
ep1: 10baseT, 10base5, 10base2 (default 10baseT)
apm0 at mainbus0: Power Management spec V1.2
apm0: battery life expectancy: 100%
apm0: A/C state: on
apm0: battery charge state: high
biomask efc5 netmask efc5 ttymask ffcf
IPsec: Initialized Security Association Processing.
boot device: wd0
root on wd0a dumps on wd0b
root file system type: ffs
pcmcia1: card irq 7
ep1: starting DAD for fe80:0001::0210:4bff:feed:22be
ep1: DAD complete for fe80:0001::0210:4bff:feed:22be - no duplicates found
--Steve Bellovin
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
To: gnats-bugs@netbsd.org
Cc:
Subject: kern/8994: 'ping' on eon0 crashes the system
Date: Tue, 04 Jul 2000 23:27:11 -0400
eon does rfc986 iso-in-ip encapsulation and tunnelling.
it appears to be fairly easy to (mis)configure it such that ip packets
get routed into it in such a way that the encapsulated packet ends up
coming back to eon, resulting in a recursive tailspin between
ip_output and eonoutput, blowing the kernel stack.
Sample traceback after 3 levels of recursion:
Breakpoint 17, eonoutput (ifp=0xc02ad3e0, m=0xc043b300, sdst=0xc044e3b0,
rt=0xc045b200) at ../../../../netiso/if_eon.c:365
(gdb) where
#0 eonoutput (ifp=0xc02ad3e0, m=0xc043b300, sdst=0xc044e3b0, rt=0xc045b200)
at ../../../../netiso/if_eon.c:365
#1 0xc01909f3 in ip_output (m0=0x0) at ../../../../netinet/ip_output.c:578
#2 0xc01d2d03 in eonoutput (ifp=0xc02ad3e0, m=0xc043b300, sdst=0xc044e3b0,
rt=0xc045b200) at ../../../../netiso/if_eon.c:444
#3 0xc01909f3 in ip_output (m0=0x0) at ../../../../netinet/ip_output.c:578
#4 0xc01d2d03 in eonoutput (ifp=0xc02ad3e0, m=0xc043b200, sdst=0xc0460024,
rt=0xc045b200) at ../../../../netiso/if_eon.c:444
#5 0xc01909f3 in ip_output (m0=0x0) at ../../../../netinet/ip_output.c:578
#6 0xc0195cf7 in rip_output (m=0xc043b100) at ../../../../netinet/raw_ip.c:284
#7 0xc019614a in rip_usrreq (so=0xc045f000, req=9, m=0xc043b100,
nam=0xc043b000, control=0x0, p=0xc52e17d0)
at ../../../../netinet/raw_ip.c:551
#8 0xc0148621 in sosend (so=0xc045f000, addr=0xc043b000, uio=0xc52fbed8,
top=0xc043b100, control=0x0, flags=0) at ../../../../kern/uipc_socket.c:512
#9 0xc014b658 in sendit (p=0xc52e17d0, s=3, mp=0xc52fbf1c, flags=0,
retsize=0xc52fbf80) at ../../../../kern/uipc_syscalls.c:560
#10 0xc014b38c in sys_sendto (p=0xc52e17d0, v=0xc52fbf88, retval=0xc52fbf80)
at ../../../../kern/uipc_syscalls.c:418
#11 0xc0221ddf in syscall (frame={tf_es = 31, tf_ds = 31,
tf_edi = -1077945132, tf_esi = 84, tf_ebp = -1077945212, tf_ebx = 0,
tf_edx = 5, tf_ecx = -1, tf_eax = 133, tf_trapno = 3, tf_err = 2,
tf_eip = 134635031, tf_cs = 23, tf_eflags = 518, tf_esp = -1077945260,
tf_ss = 31, tf_vm86_es = 0, tf_vm86_ds = 0, tf_vm86_fs = 0,
tf_vm86_gs = 0}) at ../../../../arch/i386/i386/trap.c:765
- Bill
State-Changed-From-To: open->analyzed
State-Changed-By: sommerfeld
State-Changed-When: Tue Jul 4 20:32:11 PDT 2000
State-Changed-Why:
how is eon broken? let me count the ways..
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.