NetBSD Problem Report #52324
From www@NetBSD.org Thu Jun 22 19:39:24 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 4DE807A266
for <gnats-bugs@gnats.NetBSD.org>; Thu, 22 Jun 2017 19:39:24 +0000 (UTC)
Message-Id: <20170622193923.351C67A291@mollari.NetBSD.org>
Date: Thu, 22 Jun 2017 19:39:23 +0000 (UTC)
From: tnn@NetBSD.org
Reply-To: tnn@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: assertion "(target->prt_class == class)" failed: subr_psref.c", line 285
X-Send-Pr-Version: www-1.0
>Number: 52324
>Category: kern
>Synopsis: assertion "(target->prt_class == class)" failed: subr_psref.c", line 285
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jun 22 19:40:00 +0000 2017
>Closed-Date: Mon Jul 03 01:12:09 +0000 2017
>Last-Modified: Mon Jul 03 01:12:09 +0000 2017
>Originator: Tobias Nygren
>Release: 8.99.1 amd64
>Organization:
>Environment:
>Description:
I can reliably trigger this panic from userland by running a certain java application.
panic: kernel diagnostic assertion "(target->prt_class == class)" failed: file "/work/src/sys/kern/subr_psref.c", line 285 mismatched psref target class: 0x0 (ref) != 0xffffe400bfe0ed08 (expected)
fatal breakpoint trap in supervisor mode
trap type 1 code 0 rip 0xffffffff802249f5 cs 0x8 rflags 0x246 cr2 0x10020f000 ilevel 0x4 rsp 0xffffe40045b75b60
curlwp 0xffffe400beb28200 pid 533.2 lowest kstack 0xffffe40045b722c0
[0xffffffff802249f5->breakpoint][0xffffffff80226450->cpu_Debugger][0xffffffff80742474->db_panic][0xffffffff80990401->vpanic][0xffffffff80ce36b8->kern_assert][0xffffffff8099140b->psref_release][0xffffffff80a20d7e->if_put][0xffffffff806f4b38->ip6_ctloutput][0xffffffff80708380->udp6_ctloutput][0xffffffff806ea121->udp6_ctloutput_wrapper][0xffffffff809c286a->sosetopt][0xffffffff809c6ef2->sys_setsockopt][0xffffffff80250765->syscall]
dumping to dev 20,1 (offset=14682167, size=786319):
>How-To-Repeat:
I'll leave out the exact details since it might be possible for unprivileged userland to mess with the kernel if DIAGNOSTIC/DEBUG is not enabled. Ping me off-list for details.
>Fix:
A workaround seems to be to launch the program with -Djava.net.preferIPv4Stack=true.
>Release-Note:
>Audit-Trail:
From: Ryota Ozaki <ozaki-r@netbsd.org>
To: "gnats-bugs@NetBSD.org" <gnats-bugs@netbsd.org>
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/52324: assertion "(target->prt_class == class)" failed:
subr_psref.c", line 285
Date: Fri, 23 Jun 2017 10:42:18 +0900
On Fri, Jun 23, 2017 at 4:40 AM, <tnn@netbsd.org> wrote:
>>Number: 52324
>>Category: kern
>>Synopsis: assertion "(target->prt_class =3D=3D class)" failed: subr=
_psref.c", line 285
>>Confidential: no
>>Severity: serious
>>Priority: medium
>>Responsible: kern-bug-people
>>State: open
>>Class: sw-bug
>>Submitter-Id: net
>>Arrival-Date: Thu Jun 22 19:40:00 +0000 2017
>>Originator: Tobias Nygren
>>Release: 8.99.1 amd64
>>Organization:
>>Environment:
>>Description:
> I can reliably trigger this panic from userland by running a certain java=
application.
>
> panic: kernel diagnostic assertion "(target->prt_class =3D=3D class)" fai=
led: file "/work/src/sys/kern/subr_psref.c", line 285 mismatched psref targ=
et class: 0x0 (ref) !=3D 0xffffe400bfe0ed08 (expected)
> fatal breakpoint trap in supervisor mode
> trap type 1 code 0 rip 0xffffffff802249f5 cs 0x8 rflags 0x246 cr2 0x10020=
f000 ilevel 0x4 rsp 0xffffe40045b75b60
> curlwp 0xffffe400beb28200 pid 533.2 lowest kstack 0xffffe40045b722c0
> [0xffffffff802249f5->breakpoint][0xffffffff80226450->cpu_Debugger][0xffff=
ffff80742474->db_panic][0xffffffff80990401->vpanic][0xffffffff80ce36b8->ker=
n_assert][0xffffffff8099140b->psref_release][0xffffffff80a20d7e->if_put][0x=
ffffffff806f4b38->ip6_ctloutput][0xffffffff80708380->udp6_ctloutput][0xffff=
ffff806ea121->udp6_ctloutput_wrapper][0xffffffff809c286a->sosetopt][0xfffff=
fff809c6ef2->sys_setsockopt][0xffffffff80250765->syscall]
> dumping to dev 20,1 (offset=3D14682167, size=3D786319):
Could you try the following diff?
ozaki-r
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index f9ddeaba9ac..688327e10e6 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -2561,6 +2561,7 @@ ip6_setmoptions(const struct sockopt *sopt,
struct in6pcb *in6p)
* Group must be a valid IP6 multicast address.
*/
bound =3D curlwp_bind();
+ ifp =3D NULL;
error =3D ip6_get_membership(sopt, &ifp, &psref, &ia, sizeo=
f(ia));
if (error !=3D 0) {
curlwp_bindx(bound);
From: Ryota Ozaki <ozaki-r@netbsd.org>
To: "gnats-bugs@NetBSD.org" <gnats-bugs@netbsd.org>
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
tnn@netbsd.org
Subject: Re: kern/52324: assertion "(target->prt_class == class)" failed:
subr_psref.c", line 285
Date: Fri, 23 Jun 2017 10:48:13 +0900
On Fri, Jun 23, 2017 at 10:45 AM, Ryota Ozaki <ozaki-r@netbsd.org> wrote:
> The following reply was made to PR kern/52324; it has been noted by GNATS.
>
> From: Ryota Ozaki <ozaki-r@netbsd.org>
> To: "gnats-bugs@NetBSD.org" <gnats-bugs@netbsd.org>
> Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
> Subject: Re: kern/52324: assertion "(target->prt_class == class)" failed:
> subr_psref.c", line 285
> Date: Fri, 23 Jun 2017 10:42:18 +0900
>
> On Fri, Jun 23, 2017 at 4:40 AM, <tnn@netbsd.org> wrote:
> >>Number: 52324
> >>Category: kern
> >>Synopsis: assertion "(target->prt_class =3D=3D class)" failed: subr=
> _psref.c", line 285
> >>Confidential: no
> >>Severity: serious
> >>Priority: medium
> >>Responsible: kern-bug-people
> >>State: open
> >>Class: sw-bug
> >>Submitter-Id: net
> >>Arrival-Date: Thu Jun 22 19:40:00 +0000 2017
> >>Originator: Tobias Nygren
> >>Release: 8.99.1 amd64
> >>Organization:
> >>Environment:
> >>Description:
> > I can reliably trigger this panic from userland by running a certain java=
> application.
> >
> > panic: kernel diagnostic assertion "(target->prt_class =3D=3D class)" fai=
> led: file "/work/src/sys/kern/subr_psref.c", line 285 mismatched psref targ=
> et class: 0x0 (ref) !=3D 0xffffe400bfe0ed08 (expected)
> > fatal breakpoint trap in supervisor mode
> > trap type 1 code 0 rip 0xffffffff802249f5 cs 0x8 rflags 0x246 cr2 0x10020=
> f000 ilevel 0x4 rsp 0xffffe40045b75b60
> > curlwp 0xffffe400beb28200 pid 533.2 lowest kstack 0xffffe40045b722c0
> > [0xffffffff802249f5->breakpoint][0xffffffff80226450->cpu_Debugger][0xffff=
> ffff80742474->db_panic][0xffffffff80990401->vpanic][0xffffffff80ce36b8->ker=
> n_assert][0xffffffff8099140b->psref_release][0xffffffff80a20d7e->if_put][0x=
> ffffffff806f4b38->ip6_ctloutput][0xffffffff80708380->udp6_ctloutput][0xffff=
> ffff806ea121->udp6_ctloutput_wrapper][0xffffffff809c286a->sosetopt][0xfffff=
> fff809c6ef2->sys_setsockopt][0xffffffff80250765->syscall]
> > dumping to dev 20,1 (offset=3D14682167, size=3D786319):
>
> Could you try the following diff?
>
> ozaki-r
>
> diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
> index f9ddeaba9ac..688327e10e6 100644
> --- a/sys/netinet6/ip6_output.c
> +++ b/sys/netinet6/ip6_output.c
> @@ -2561,6 +2561,7 @@ ip6_setmoptions(const struct sockopt *sopt,
> struct in6pcb *in6p)
> * Group must be a valid IP6 multicast address.
> */
> bound =3D curlwp_bind();
> + ifp =3D NULL;
hmm, something went wrong. ifp = NULL is correct of course.
ozaki-r
> error =3D ip6_get_membership(sopt, &ifp, &psref, &ia, sizeo=
> f(ia));
> if (error !=3D 0) {
> curlwp_bindx(bound);
State-Changed-From-To: open->feedback
State-Changed-By: ozaki-r@NetBSD.org
State-Changed-When: Fri, 23 Jun 2017 02:27:43 +0000
State-Changed-Why:
A patch is provided.
From: Robert Elz <kre@munnari.OZ.AU>
To: Ryota Ozaki <ozaki-r@netbsd.org>
Cc: "gnats-bugs@NetBSD.org" <gnats-bugs@netbsd.org>,
kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org, tnn@netbsd.org
Subject: Re: kern/52324: assertion "(target->prt_class == class)" failed: subr_psref.c", line 285
Date: Fri, 23 Jun 2017 13:47:12 +0700
Date: Fri, 23 Jun 2017 10:48:13 +0900
From: Ryota Ozaki <ozaki-r@netbsd.org>
Message-ID: <CAKrYomgX+L=AAufSRVCw2ngzFxa7boLdyqAMNNXT8=RFU_uh+Q@mail.gmail.com>
| hmm, something went wrong. ifp = NULL is correct of course.
|
| ozaki-r
The something that "went wrong" is gnats... the copy of your message to the
mailing list(s) was formatted correctly, just the version that gnats
sent to the PR recipients gets QP'd and = turns into =3D (it has to because
of = being the QP escape character.)
This happens all the time, and is one of the reasons we all love gnats so much!
kre
From: Ryota Ozaki <ozaki-r@netbsd.org>
To: Robert Elz <kre@munnari.oz.au>
Cc: "gnats-bugs@NetBSD.org" <gnats-bugs@netbsd.org>, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, tnn@netbsd.org
Subject: Re: kern/52324: assertion "(target->prt_class == class)" failed:
subr_psref.c", line 285
Date: Fri, 23 Jun 2017 17:48:04 +0900
On Fri, Jun 23, 2017 at 3:47 PM, Robert Elz <kre@munnari.oz.au> wrote:
> Date: Fri, 23 Jun 2017 10:48:13 +0900
> From: Ryota Ozaki <ozaki-r@netbsd.org>
> Message-ID: <CAKrYomgX+L=AAufSRVCw2ngzFxa7boLdyqAMNNXT8=RFU_uh+Q@mail.gmail.com>
>
> | hmm, something went wrong. ifp = NULL is correct of course.
> |
> | ozaki-r
>
> The something that "went wrong" is gnats... the copy of your message to the
> mailing list(s) was formatted correctly, just the version that gnats
> sent to the PR recipients gets QP'd and = turns into =3D (it has to because
> of = being the QP escape character.)
Oh got it. Thanks.
>
> This happens all the time, and is one of the reasons we all love gnats so much!
May need more love :-|
ozaki-r
From: Tobias Nygren <tnn@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/52324: assertion "(target->prt_class == class)" failed:
subr_psref.c", line 285
Date: Sat, 24 Jun 2017 12:55:02 +0200
On Fri, 23 Jun 2017 01:45:01 +0000 (UTC)
Ryota Ozaki <ozaki-r@netbsd.org> wrote:
> Could you try the following diff?
Yes, it solved the problem.
Thank you!
From: "Ryota Ozaki" <ozaki-r@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52324 CVS commit: src/sys/netinet6
Date: Mon, 26 Jun 2017 08:01:53 +0000
Module Name: src
Committed By: ozaki-r
Date: Mon Jun 26 08:01:53 UTC 2017
Modified Files:
src/sys/netinet6: ip6_output.c
Log Message:
Fix usage of ip6_get_membership
It may set nothing to ifp even if returning 0. So we need to NULL-clear
ifp before calling it.
Fix PR kern/52324
To generate a diff of this commit:
cvs rdiff -u -r1.191 -r1.192 src/sys/netinet6/ip6_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: feedback->pending-pullups
State-Changed-By: ozaki-r@NetBSD.org
State-Changed-When: Mon, 26 Jun 2017 08:09:57 +0000
State-Changed-Why:
Thank you for the confirmation.
pullup-8 #73
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52324 CVS commit: [netbsd-8] src/sys/netinet6
Date: Sat, 1 Jul 2017 08:51:04 +0000
Module Name: src
Committed By: snj
Date: Sat Jul 1 08:51:04 UTC 2017
Modified Files:
src/sys/netinet6 [netbsd-8]: ip6_output.c
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #73):
sys/netinet6/ip6_output.c: revision 1.192
Fix usage of ip6_get_membership
It may set nothing to ifp even if returning 0. So we need to NULL-clear
ifp before calling it.
Fix PR kern/52324
To generate a diff of this commit:
cvs rdiff -u -r1.191 -r1.191.6.1 src/sys/netinet6/ip6_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: ozaki-r@NetBSD.org
State-Changed-When: Mon, 03 Jul 2017 01:12:09 +0000
State-Changed-Why:
Pulled up
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home