NetBSD Problem Report #45914
From riz@breadfruit.tastylime.net Thu Feb 2 19:02:03 2012
Return-Path: <riz@breadfruit.tastylime.net>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id DCFD863C41D
for <gnats-bugs@gnats.NetBSD.org>; Thu, 2 Feb 2012 19:02:03 +0000 (UTC)
Message-Id: <20120202175826.3D81E54E94@breadfruit.tastylime.net>
Date: Thu, 2 Feb 2012 09:58:26 -0800 (PST)
From: riz@NetBSD.org
Reply-To: riz@NetBSD.org
To: gnats-bugs@gnats.NetBSD.org
Subject: destroying a network interface crashes dom0 kernel
X-Send-Pr-Version: 3.95
>Number: 45914
>Category: kern
>Synopsis: destroying a network interface crashes dom0 kernel
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Feb 02 19:05:00 +0000 2012
>Closed-Date: Sun Apr 22 19:19:32 +0000 2012
>Last-Modified: Sun Apr 22 19:19:32 +0000 2012
>Originator: Jeff Rizzo
>Release: NetBSD 5.99.63, also late 5.99.60
>Organization:
>Environment:
System: NetBSD xenserver1.boogers.sf.ca.us 5.99.60 NetBSD 5.99.60 (XS1) #56: Wed Feb 1 21:37:45 PST 2012 riz@hack.lan:/Users/riz/Documents/code/netbsd/obj.amd64/sys/arch/amd64/compile/XS1 amd64
Architecture: x86_64
Machine: amd64
>Description:
As of this commit:
http://mail-index.netbsd.org/source-changes/2012/01/27/msg031054.html
...destroying a network interface on my Xen DOM0 box crashes the kernel:
****************
xenserver1# ifconfig vlan0 create
xenserver1# ifconfig vlan0 destroy
fatal protection fault in supervisor mode
trap type 4 code 0 rip ffffffff804dfaf5 cs e030 rflags 10206 cr2 7f7ff780d93f cpl 6 rsp ffffa00000d7d660
kernel: protection fault trap, code=0
Stopped in pid 436.1 (ifconfig) at netbsd:nd6_purge+0xb5: movl 14(%r12)
,%eax
nd6_purge() at netbsd:nd6_purge+0xb5
in6_ifdetach() at netbsd:in6_ifdetach+0x21
udp6_usrreq() at netbsd:udp6_usrreq+0x208
if_detach() at netbsd:if_detach+0x112
vlan_clone_destroy() at netbsd:vlan_clone_destroy+0x63
ifioctl() at netbsd:ifioctl+0x3c3
sys_ioctl() at netbsd:sys_ioctl+0x13c
syscall() at netbsd:syscall+0xc4
ds a5c0
es a788
fs 0
gs 0
rdi ffffa000011bdd80
rsi 0
rbp ffffa00000d7d680
rbx ffffa00000eaf008
rdx ffffffff803c8617 in6_purgeaddr
rcx ffffa00000eaa5c0
rax 4
r8 ffffa00000eaf008
r9 ffffa00000eaa5c0
r10 ffffa000018d62c4
r11 2
r12 2687e94bad0e70d2
r13 0
r14 0
r15 0
rip ffffffff804dfaf5 nd6_purge+0xb5
cs e030
rflags 10206
rsp ffffa00000d7d660
ss e02b
netbsd:nd6_purge+0xb5: movl 14(%r12),%eax
db>
****************
My assumption is that the kmem changes in that commit have exposed a
longer-standing bug. Please note PR#45764, which is against 5.1, and looks
very similar to this.
>How-To-Repeat:
xenserver1# ifconfig vlan0 create
xenserver1# ifconfig vlan0 destroy
fatal protection fault in supervisor mode
trap type 4 code 0 rip ffffffff804dfaf5 cs e030 rflags 10206 cr2 7f7ff780d93f c
pl 6 rsp ffffa00000d7d660
kernel: protection fault trap, code=0
Stopped in pid 436.1 (ifconfig) at netbsd:nd6_purge+0xb5: movl 14(%r12)
,%eax
nd6_purge() at netbsd:nd6_purge+0xb5
in6_ifdetach() at netbsd:in6_ifdetach+0x21
udp6_usrreq() at netbsd:udp6_usrreq+0x208
if_detach() at netbsd:if_detach+0x112
vlan_clone_destroy() at netbsd:vlan_clone_destroy+0x63
ifioctl() at netbsd:ifioctl+0x3c3
sys_ioctl() at netbsd:sys_ioctl+0x13c
syscall() at netbsd:syscall+0xc4
ds a5c0
es a788
fs 0
gs 0
rdi ffffa000011bdd80
rsi 0
rbp ffffa00000d7d680
rbx ffffa00000eaf008
rdx ffffffff803c8617 in6_purgeaddr
rcx ffffa00000eaa5c0
rax 4
r8 ffffa00000eaf008
r9 ffffa00000eaa5c0
r10 ffffa000018d62c4
r11 2
r12 2687e94bad0e70d2
r13 0
r14 0
r15 0
rip ffffffff804dfaf5 nd6_purge+0xb5
cs e030
rflags 10206
rsp ffffa00000d7d660
ss e02b
netbsd:nd6_purge+0xb5: movl 14(%r12),%eax
db>
>Fix:
None given.
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45914 CVS commit: src/sys/netinet6
Date: Thu, 2 Feb 2012 22:32:45 -0500
Module Name: src
Committed By: christos
Date: Fri Feb 3 03:32:45 UTC 2012
Modified Files:
src/sys/netinet6: nd6.c
Log Message:
PR/45764, PR/45914
Part 1:
nd6_purge can be called after dom_ifdetach, and if_afdata[AF_INET6] is
going to be freed and point to garbage. Make sure we check for NULL, before
taking the pointer offset.
While I am here, add an M_ZERO.
To generate a diff of this commit:
cvs rdiff -u -r1.140 -r1.141 src/sys/netinet6/nd6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45914 CVS commit: src/sys/net
Date: Thu, 2 Feb 2012 22:35:31 -0500
Module Name: src
Committed By: christos
Date: Fri Feb 3 03:35:30 UTC 2012
Modified Files:
src/sys/net: if.c
Log Message:
PR/45764, PR/45914
Part 2:
Arrange so that the pointers that we free (ifp->if_afdata, dom->dom_ifqueues[i])
are set to NULL.
While I am here, add a continue.
To generate a diff of this commit:
cvs rdiff -u -r1.259 -r1.260 src/sys/net/if.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->pending-pullups
State-Changed-By: riz@NetBSD.org
State-Changed-When: Fri, 03 Feb 2012 19:50:31 +0000
State-Changed-Why:
This has been submitted for pullup.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 22 Apr 2012 19:19:32 +0000
State-Changed-Why:
The pullup for -5 was dropped because it turned out -5 is not affected.
The change is already in -6.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.