NetBSD Problem Report #45764
From spz@NetBSD.org Sat Dec 31 22:11:24 2011
Return-Path: <spz@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 0620563D9C8
for <gnats-bugs@gnats.NetBSD.org>; Sat, 31 Dec 2011 22:11:24 +0000 (UTC)
Message-Id: <20111231221128.BE2AA2FD3F@ftp.NetBSD.org>
Date: Sat, 31 Dec 2011 22:11:28 +0000 (UTC)
From: spz@NetBSD.org
Reply-To: spz@NetBSD.org
To: gnats-bugs@gnats.NetBSD.org
Subject: ifconfig stf0 destroy is unhealthy
X-Send-Pr-Version: 3.95
>Number: 45764
>Category: kern
>Synopsis: ifconfig stf0 destroy caused a panic
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Dec 31 22:15:00 +0000 2011
>Closed-Date: Sun May 29 23:05:36 +0000 2016
>Last-Modified: Sun May 29 23:05:36 +0000 2016
>Originator: S.P.Zeidler
>Release: NetBSD 5.1_STABLE
>Organization:
TNF
>Environment:
System: NetBSD morden.NetBSD.org 5.1_STABLE NetBSD 5.1_STABLE (NBFTP) #17: Sat Dec 24 15:46:47 UTC 2011 root@franklin.NetBSD.org:/home/netbsd/5/amd64/kern-compile/NBFTP amd64
Architecture: x86_64
Machine: amd64
>Description:
fatal protection fault in supervisor mode
trap type 4 code 0 rip ffffffff8017e065 cs 8 rflags 10282 cr2 7f7ffd618020 cpl 6 rsp ffff80004f0076c0
kernel: protection fault trap, code=0
Stopped in pid 12552.1 (ifconfig) at netbsd:nd6_purge+0xd5: cmpb $0x12,0x1(%rax)
db{0}> bt
nd6_purge() at netbsd:nd6_purge+0xd5
in6_ifdetach() at netbsd:in6_ifdetach+0x21
in6_purgeif() at netbsd:in6_purgeif+0x25
udp6_usrreq() at netbsd:udp6_usrreq+0xfd
udp6_usrreq_wrapper() at netbsd:udp6_usrreq_wrapper+0x51
if_detach() at netbsd:if_detach+0x2b0
stf_clone_destroy() at netbsd:stf_clone_destroy+0x4c
if_clone_destroy() at netbsd:if_clone_destroy+0x44
ifioctl() at netbsd:ifioctl+0x1a3
soo_ioctl() at netbsd:soo_ioctl+0x246
sys_ioctl() at netbsd:sys_ioctl+0x138
syscall() at netbsd:syscall+0xa0
>How-To-Repeat:
strict repeatability has not been tested
ifconfig stf0 create
ifconfig stf0 inet6 2002:c7e9:d9f9::21/16 alias deprecated link0
[wait a while]
ifconfig stf0 destroy
>Fix:
left as an exercise for now
>Release-Note:
>Audit-Trail:
From: Mindaugas Rasiukevicius <rmind@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: spz@NetBSD.org, kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/45764: ifconfig stf0 destroy is unhealthy
Date: Sun, 1 Jan 2012 13:05:20 +0000
spz@NetBSD.org wrote:
> ...
> >Description:
> fatal protection fault in supervisor mode
> trap type 4 code 0 rip ffffffff8017e065 cs 8 rflags 10282 cr2
> 7f7ffd618020 cpl 6 rsp ffff80004f0076c0 kernel: protection fault trap,
> code=0 Stopped in pid 12552.1 (ifconfig) at netbsd:nd6_purge+0xd5:
> cmpb $0x12,0x1(%rax) db{0}> bt
> nd6_purge() at netbsd:nd6_purge+0xd5
> in6_ifdetach() at netbsd:in6_ifdetach+0x21
> in6_purgeif() at netbsd:in6_purgeif+0x25
> udp6_usrreq() at netbsd:udp6_usrreq+0xfd
> udp6_usrreq_wrapper() at netbsd:udp6_usrreq_wrapper+0x51
> if_detach() at netbsd:if_detach+0x2b0
> stf_clone_destroy() at netbsd:stf_clone_destroy+0x4c
> if_clone_destroy() at netbsd:if_clone_destroy+0x44
> ifioctl() at netbsd:ifioctl+0x1a3
> soo_ioctl() at netbsd:soo_ioctl+0x246
> sys_ioctl() at netbsd:sys_ioctl+0x138
> syscall() at netbsd:syscall+0xa0
Assembly fragment in question:
ffffffff8017e05c: 48 8b 47 60 mov 0x60(%rdi),%rax
ffffffff8017e060: 48 85 c0 test %rax,%rax
ffffffff8017e063: 74 db je ffffffff8017e040 <nd6_purge+0xb0>
ffffffff8017e065: 80 78 01 12 cmpb $0x12,0x1(%rax)
ffffffff8017e069: 75 d5 jne ffffffff8017e040 <nd6_purge+0xb0>
The compare instruction seems to be rt->rt_gateway->sa_family == AF_LINK, see:
http://nxr.netbsd.org/xref/src/sys/netinet6/nd6.c?r=1.139#802
It has passed rt->rt_gateway != NULL (test %rax,%rax), which indicates that
rt->rt_gateway pointer contains garbage.
--
Mindaugas
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45764 CVS commit: src/sys/netinet6
Date: Thu, 2 Feb 2012 22:32:45 -0500
Module Name: src
Committed By: christos
Date: Fri Feb 3 03:32:45 UTC 2012
Modified Files:
src/sys/netinet6: nd6.c
Log Message:
PR/45764, PR/45914
Part 1:
nd6_purge can be called after dom_ifdetach, and if_afdata[AF_INET6] is
going to be freed and point to garbage. Make sure we check for NULL, before
taking the pointer offset.
While I am here, add an M_ZERO.
To generate a diff of this commit:
cvs rdiff -u -r1.140 -r1.141 src/sys/netinet6/nd6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45764 CVS commit: src/sys/net
Date: Thu, 2 Feb 2012 22:35:31 -0500
Module Name: src
Committed By: christos
Date: Fri Feb 3 03:35:30 UTC 2012
Modified Files:
src/sys/net: if.c
Log Message:
PR/45764, PR/45914
Part 2:
Arrange so that the pointers that we free (ifp->if_afdata, dom->dom_ifqueues[i])
are set to NULL.
While I am here, add a continue.
To generate a diff of this commit:
cvs rdiff -u -r1.259 -r1.260 src/sys/net/if.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Tue, 08 Sep 2015 05:30:04 +0000
State-Changed-Why:
Is this fixed? Does it need pullups?
State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 29 May 2016 23:05:36 +0000
State-Changed-Why:
Assume fixed and assume changes from 2012 are old enough to not need pullups
now.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.