NetBSD Problem Report #53546
From msaitoh@five.execsw.org Fri Aug 24 05:24:58 2018
Return-Path: <msaitoh@five.execsw.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 1AC587A111
for <gnats-bugs@gnats.NetBSD.org>; Fri, 24 Aug 2018 05:24:58 +0000 (UTC)
Message-Id: <20180824052455.CDAA3886125@five.execsw.org>
Date: Fri, 24 Aug 2018 14:24:55 +0900 (JST)
From: msaitoh@execsw.org
Reply-To: msaitoh@execsw.org
To: gnats-bugs@NetBSD.org
Subject: ifconfig tapXXXXX problem (wrong unit name or panic)
X-Send-Pr-Version: 3.95
>Number: 53546
>Category: kern
>Synopsis: ifconfig tapXXXXX problem (wrong unit name or panic)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Aug 24 05:25:00 +0000 2018
>Last-Modified: Thu Jun 25 14:25:01 +0000 2020
>Originator: msaitoh@execsw.org
>Release: NetBSD 8.99.24
>Organization:
>Environment:
-current, netbsd-8 or any?
>Description:
ifconfig tap32767 create
[ 1463.1846103] tap32767: Ethernet address f2:0b:a4:4f:f4:db
ifconfig tap65536 create
[ 1476.5086828] tap0: Ethernet address f2:0b:a4:93:22:e6
(not 65536 but 0)
ifconfig tap65537 create
[ 1491.1341302] tap1: Ethernet address f2:0b:a4:1c:e7:17
(not 65537 but 1)
ifconfig tap99999 create
[ 87.5741145] uvm_fault(0xffffffff81519260, 0xfffffffffffc3000, 1) -> e
[ 87.5741145] fatal page fault in supervisor mode
[ 87.5741145] trap type 6 code 0 rip 0xffffffff809b2175 cs 0x8 rflags 0x10213 cr2 0xfffffffffffc34f8 ilevel 0x8 rsp 0xffffbc813e1e7c00
[ 87.5741145] curlwp 0xffffe3fa3ff924e0 pid 72.1 lowest kstack 0xffffbc813e1e42c0
kernel: page fault trap, code=0
Stopped in pid 72.1 (ifconfig) at netbsd:config_devalloc+0x128: cmpq $
0,0(%rcx,%rax,8)
db{0}> trace
config_devalloc() at netbsd:config_devalloc+0x128
config_attach_pseudo() at netbsd:config_attach_pseudo+0x16
tap_clone_creator() at netbsd:tap_clone_creator+0x46
tap_clone_create() at netbsd:tap_clone_create+0x12
doifioctl() at netbsd:doifioctl+0xe81
sys_ioctl() at netbsd:sys_ioctl+0x11c
syscall() at netbsd:syscall+0x173
--- syscall (number 54) ---
7f7ff711a71a:
db{0}> reboot
rebooting...
>How-To-Repeat:
See above.
>Fix:
I don't know :(
>Audit-Trail:
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/53546: ifconfig tapXXXXX problem (wrong unit name or panic)
Date: Fri, 24 Aug 2018 09:00:29 -0000 (UTC)
msaitoh@execsw.org writes:
> ifconfig tap65537 create
> [ 1491.1341302] tap1: Ethernet address f2:0b:a4:1c:e7:17
> (not 65537 but 1)
tap is not only an interface but also a character device and both share the
same unit number. Device unit numbers are of type 'short'.
> ifconfig tap99999 create
that translates to a negative device unit number that isn't validated.
Checking the unit number for positive short values in tap_clone_creator()
should fix both problems.
--
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, msaitoh@execsw.org
Cc:
Subject: Re: kern/53546: ifconfig tapXXXXX problem (wrong unit name or panic)
Date: Fri, 24 Aug 2018 06:06:06 -0400
On Aug 24, 9:05am, mlelstv@serpens.de (Michael van Elst) wrote:
-- Subject: Re: kern/53546: ifconfig tapXXXXX problem (wrong unit name or pan
| The following reply was made to PR kern/53546; it has been noted by GNATS.
|
| From: mlelstv@serpens.de (Michael van Elst)
| To: gnats-bugs@netbsd.org
| Cc:
| Subject: Re: kern/53546: ifconfig tapXXXXX problem (wrong unit name or panic)
| Date: Fri, 24 Aug 2018 09:00:29 -0000 (UTC)
|
| msaitoh@execsw.org writes:
|
| > ifconfig tap65537 create
| > [ 1491.1341302] tap1: Ethernet address f2:0b:a4:1c:e7:17
| > (not 65537 but 1)
|
| tap is not only an interface but also a character device and both share the
| same unit number. Device unit numbers are of type 'short'.
|
| > ifconfig tap99999 create
|
| that translates to a negative device unit number that isn't validated.
|
| Checking the unit number for positive short values in tap_clone_creator()
| should fix both problems.
Why don't we make cf_unit and dv_unit unsigned int?
christos
From: Robert Elz <kre@munnari.OZ.AU>
To: christos@zoulas.com (Christos Zoulas)
Cc: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org, msaitoh@execsw.org
Subject: Re: kern/53546: ifconfig tapXXXXX problem (wrong unit name or panic)
Date: Fri, 24 Aug 2018 19:08:24 +0700
Date: Fri, 24 Aug 2018 06:06:06 -0400
From: christos@zoulas.com (Christos Zoulas)
Message-ID: <20180824100606.0CFF417FDA1@rebar.astron.com>
| Why don't we make cf_unit and dv_unit unsigned int?
Even if there was enough minor unit number space to support that,
all it is doing is altering the values at which weirdness appears.
I cannot imagine a use case for > 30000 pseudo devices of any
type (or any other kind of interface or device) - the closest I can
see if with vlans where it is nice to be able to have the vlan number
and the interface number matching - but that takes just 12 bits.
kre
From: christos@zoulas.com (Christos Zoulas)
To: Robert Elz <kre@munnari.OZ.AU>
Cc: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, msaitoh@execsw.org
Subject: Re: kern/53546: ifconfig tapXXXXX problem (wrong unit name or panic)
Date: Fri, 24 Aug 2018 11:17:36 -0400
On Aug 24, 7:08pm, kre@munnari.OZ.AU (Robert Elz) wrote:
-- Subject: Re: kern/53546: ifconfig tapXXXXX problem (wrong unit name or pan
| Date: Fri, 24 Aug 2018 06:06:06 -0400
| From: christos@zoulas.com (Christos Zoulas)
| Message-ID: <20180824100606.0CFF417FDA1@rebar.astron.com>
|
| | Why don't we make cf_unit and dv_unit unsigned int?
|
| Even if there was enough minor unit number space to support that,
| all it is doing is altering the values at which weirdness appears.
|
| I cannot imagine a use case for > 30000 pseudo devices of any
| type (or any other kind of interface or device) - the closest I can
| see if with vlans where it is nice to be able to have the vlan number
| and the interface number matching - but that takes just 12 bits.
|
So dv_unit is and int already... minor() which is used for dv_unit
is uint32_t already. There are no meaningful uses for negative
dv_unit or cf_unit and they are compared directly to ceach other
on many places. Instead of adding checks for truncation it is easier
to widen them and make them the same size (meaningful or not). So
I suggest that both become uint32_t.
Best,
christos
From: "Jukka Ruohonen" <jruoho@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53546 CVS commit: src
Date: Thu, 25 Jun 2020 14:24:46 +0000
Module Name: src
Committed By: jruoho
Date: Thu Jun 25 14:24:46 UTC 2020
Modified Files:
src/distrib/sets/lists/tests: mi
src/tests/sbin/ifconfig: Makefile
Added Files:
src/tests/sbin/ifconfig: t_tap.sh
Log Message:
Add test cases for PR kern/53546 and PR kern/55417. Both are skipped as
both reproduce panics.
To generate a diff of this commit:
cvs rdiff -u -r1.848 -r1.849 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.2 -r1.3 src/tests/sbin/ifconfig/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/sbin/ifconfig/t_tap.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home