NetBSD Problem Report #53922
From coypu@sdf.org Tue Jan 29 18:20:32 2019
Return-Path: <coypu@sdf.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 348937A1A9
for <gnats-bugs@gnats.NetBSD.org>; Tue, 29 Jan 2019 18:20:32 +0000 (UTC)
Message-Id: <201901291820.x0TIKHJ4000943@sdf.org>
Date: Tue, 29 Jan 2019 18:20:17 GMT
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: My networking setup makes NetBSD panic
X-Send-Pr-Version: 3.95
>Number: 53922
>Category: kern
>Synopsis: My networking setup makes NetBSD panic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: riastradh
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jan 29 18:25:00 +0000 2019
>Closed-Date: Tue Apr 02 22:20:00 +0000 2024
>Last-Modified: Wed Apr 03 03:39:57 +0000 2024
>Originator: coypu@sdf.org
>Release: NetBSD 8.99.30
>Organization:
>Environment:
System: NetBSD planets 8.99.30 NetBSD 8.99.30 (GENERIC) #0: Thu Jan 10 15:02:02 IST 2019 fly@planets:/home/fly/obj2/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
if I reboot my router, it seems to send a packet that crashes netbsd.
I've had it occur twice, so I assume it's reproducible.
This predates pgoyette-compat merge.
uvm_fault(0xffffec6c70d4bcf8, 0x0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip 0xffffffff80768ec7 cs 0x8 rflags 0x10246 cr2 0x18 ilevel 0x4 rsp 0xffffc701cdb779f0
curlwp 0xffffec6c70c8e8a0 pid 211.1 lowest kstack 0xffffc701cdb742c0
panic: trap
cpu0: Begin traceback...
vpanic() at netbsd:vpanic+0x16f
snprintf() at netbsd:snprintf
startlwp() at netbsd:startlwp
alltraps() at netbsd:alltraps+0xc8
pfil_run_arg.isra.0() at netbsd:pfil_run_arg.isra.0+0xb7
in6_control() at netbsd:in6_control+0x10c5
udp6_ioctl_wrapper() at netbsd:udp6_ioctl_wrapper+0x32
compat_ifioctl() at netbsd:compat_ifioctl+0x12f
doifioctl() at netbsd:doifioctl+0xbad
sys_ioctl() at netbsd:sys_ioctl+0x11c
syscall() at netbsd:syscall+0x173
--- syscall (number 54) ---
72f21bf1a74a:
cpu0: End traceback...
things running: ntpd, dhcpcd, web browser
to be explicit, not running: any packet filter
network interface:
re0 at pci8 dev 0 function 0: RealTek 8168/8111 PCIe Gigabit Ethernet (rev. 0x15)
re0: interrupting at msix3 vec 0
re0: Ethernet address 40:b0:76:0c:7d:c7
re0: using 256 tx descriptors
rgephy0 at re0 phy 7: RTL8251 1000BASE-T media interface, rev. 0
>How-To-Repeat:
Reboot the router my ISP gave me while a NetBSD machine is connected to it.
>Fix:
No idea.
>Release-Note:
>Audit-Trail:
From: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/53922: My networking setup makes NetBSD panic
Date: Tue, 29 Jan 2019 18:57:13 +0000
this picture shows the tcpdump before the panic:
https://i.imgur.com/UOylbpT.jpg
Transcribing some parts:
IP6 (hlim 255, next-header ICMPv6 (50) payload length: 16) fe80::e26e:27b9:ae73:d100 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
source link-address option (1), length 8 (1): 40:b0:76:0c:7d:c7
0x000: 48b8 760c 7dc7
ARP, Ethernet (len 6), IPv4 (len 4), Request who-has Box.Home tell 169.254.92.233, length 28
dhcpcd: fd53:b8c3:c162:dac0:e570:479e/64: lifetime overflow
uvm fault...
stopped at pid 276.1 (dhcpcd) at netbsd:npf_ifaddrhook+0x55: movq 18(%r12), %rsi
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/53922: My networking setup makes NetBSD panic
Date: Sat, 1 Apr 2023 19:44:25 +0000
I just realized this has been sitting for four years... did anyone
ever figure anything out?
also, in the capture I see "Request who-has 169.254.92.233 tell
169.254.92.233" and that seems dodgy... (maybe I'm wrong because it's
been a long time since I last touched arp in any way but I thought
that should never happen)
--
David A. Holland
dholland@netbsd.org
From: Taylor R Campbell <riastradh@NetBSD.org>
To: coypu@sdf.org
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/53922: My networking setup makes NetBSD panic
Date: Fri, 1 Mar 2024 22:42:46 +0000
The two places in in6_control that obviously lead to pfil_run_arg are
in SIOCAIFADDR_IN6 (add interface address) and SIOCDIFADDR_IN6 (delete
interface address):
https://nxr.netbsd.org/xref/src/sys/netinet6/in6.c?r=3D1.272#711
https://nxr.netbsd.org/xref/src/sys/netinet6/in6.c?r=3D1.272#719
These are both pfil_run_addrhooks(if_pfil, ...), which means that the
only callbacks are installed with pfil_add_ihook(..., PFIL_IFADDR,
if_pfil). There are only two calls matching these patterns, in pf(4)
with pfil_ifaddr_wrapper and in and npf(4) with npf_ifaddrhook:
https://nxr.netbsd.org/xref/src/sys/dist/pf/net/pf_if.c?r=3D1.33#142
https://nxr.netbsd.org/xref/src/sys/net/npf/npf_os.c?r=3D1.10#412
Note that these hooks are installed unconditionally at boot time,
irrespective of whether pf or npf is in use. (I doubt pf is loaded
because it's only ever been a loadable module, right? So it's
probably npf -- but it doesn't matter, because they do the same thing
here.)
The argument passed to pfil_run_addrhooks is struct ifaddr *ifa, and
both pf and npf do ifa->ifa_ifp:
https://nxr.netbsd.org/xref/src/sys/dist/pf/net/pf_if.c?r=3D1.33#142
https://nxr.netbsd.org/xref/src/sys/net/npf/npf_os.c?r=3D1.10#386
The fault address in %cr2 is 0x18, and:
(gdb) print &((struct ifaddr *)0)->ifa_ifp
$1 =3D (struct ifnet **) 0x18
So my guess is that the argument passed to the pfil hooks, namely,
&ia->ia_ifa for struct in6_ifaddr *ia (note that ia_ifa is the first
member, so this address is the same as ia), is null.
Going back to the call sites in in6_control, we have:
(SIOCDIFADDR_IN6)
717 ifaref(&ia->ia_ifa);
718 in6_purgeaddr(&ia->ia_ifa);
719 pfil_run_addrhooks(if_pfil, cmd, &ia->ia_ifa);
I don't think it is possible for ia to be null at this point, because
all that ifaref(ifa) does is atomic_inc_uint(&ifa->ifa_refcnt):
https://nxr.netbsd.org/xref/src/sys/net/if.c?r=3D1.443#1792
And that would crash if ifa wre null, so ifaref(&ia->ia_ifa) would
crash if ia were null.
This leaves, as the only other option:
(SIOCAIFADDR_IN6)
706 int s =3D splsoftnet();
707 error =3D in6_update_ifa1(ifp, ifra, &ia, &psref, 0);
708 splx(s);
709 if (error)
710 break;
711 pfil_run_addrhooks(if_pfil, cmd, &ia->ia_ifa);
Can ia be null here? In other words, can in6_update_ifa1 return 0
while ia is null on exit? I think yes, and in only one case: in the
case that ifra->ifra_lifetime.ia6t_vltime =3D=3D 0, i.e., the valid
lifetime of the address being added is zero:
https://nxr.netbsd.org/xref/src/sys/netinet6/in6.c?r=3D1.272#1148
1148 if (lt->ia6t_vltime =3D=3D 0) {
1149 /*
1150 * the following log might be noisy, but this is a typical
1151 * configuration mistake or a tool's bug.
1152 */
1153 nd6log(LOG_INFO, "valid lifetime is 0 for %s\n",
1154 IN6_PRINT(ip6buf, &ifra->ifra_addr.sin6_addr));
1155=20
1156 if (ia =3D=3D NULL)
1157 return 0; /* there's nothing to do */
1158 }
How can this happen? Well, there's a branch in dhcpcd that sets
dhcpcd's ia->prefix_vltime (which is later passed as
ifra->ifra_lifetime.ia6t_vltime) to zero, and prints `lifetime
overflow' as maya's screenshot indicates (using cvsweb instead of nxr
since nxr doesn't index external/):
http://cvsweb.netbsd.org/bsdweb.cgi/src/external/bsd/dhcpcd/dist/src/ipv6.c=
?rev=3D1.1.1.12&content-type=3Dtext/x-cvsweb-markup
if (ia->prefix_vltime !=3D ND6_INFINITE_LIFETIME) {
ia->prefix_vltime -=3D (uint32_t)n.tv_sec;
/* This should never happen. */
if (ia->prefix_vltime > vltime) {
logerrx("%s: %s: lifetime overflow",
ifp->name, ia->saddr);
ia->prefix_vltime =3D ia->prefix_pltime =3D 0;
}
}
The log message has since been deleted but the logic is still there in
HEAD to set prefix_vltime=3D0.
The log message nd6log(LOG_INFO, ...) didn't show up in the screenshot
presumably because nd6_debug=3D0.
So I think maybe maya's ISP tried to delete an address or something by
publishing a router advertisement with an interface address having
valid lifetime zero (or possibly <1sec), and NetBSD responded by
curling up into a ball, and the PR got hidden in confidential gnats
state where nobody looked for several years.
Test case should be to just issue ioctl(SIOCAIFADDR_IN6) with the
right input.
Fix should be to change `if (error)' to `if (error || ia =3D=3D NULL)',
with a comment explaining why.
From: Taylor R Campbell <riastradh@NetBSD.org>
To: coypu@sdf.org
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/53922: My networking setup makes NetBSD panic
Date: Fri, 1 Mar 2024 22:51:02 +0000
Reproducer: ifconfig lo0 inet6 fd00::1/64 pltime 0 vltime 0
From: Taylor R Campbell <riastradh@NetBSD.org>
To: coypu@sdf.org
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/53922: My networking setup makes NetBSD panic
Date: Fri, 1 Mar 2024 23:06:32 +0000
This is a multi-part message in MIME format.
--=_U+89j2l9CEBqI2aSXBW9qNw7GOwXDlcv
--=_U+89j2l9CEBqI2aSXBW9qNw7GOwXDlcv
Content-Type: text/plain; charset="ISO-8859-1"; name="pr53922-iavltime0"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="pr53922-iavltime0.patch"
From d63fb6fa402493034f2217bcb6bf55c84b003299 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Fri, 1 Mar 2024 23:05:31 +0000
Subject: [PATCH] netinet6: Avoid NPD on `ifconfig ifN inet6 ... pltime 0
vltime 0'.
PR kern/53922
---
sys/netinet6/in6.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c
index 9814edf357ce..f16818085099 100644
--- a/sys/netinet6/in6.c
+++ b/sys/netinet6/in6.c
@@ -726,7 +726,14 @@ in6_control1(struct socket *so, u_long cmd, void *data=
, struct ifnet *ifp)
int s =3D splsoftnet();
error =3D in6_update_ifa1(ifp, ifra, &ia, &psref, 0);
splx(s);
- if (error)
+ /*
+ * in6_update_ifa1 doesn't create the address if its
+ * valid lifetime (vltime) is zero, since we would just
+ * delete the address immediately in that case anyway.
+ * So it may succeed but return null ia. In that case,
+ * nothing left to do.
+ */
+ if (error || ia =3D=3D NULL)
break;
pfil_run_addrhooks(if_pfil, cmd, &ia->ia_ifa);
break;
--=_U+89j2l9CEBqI2aSXBW9qNw7GOwXDlcv--
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53922 CVS commit: src/sys/netinet6
Date: Fri, 1 Mar 2024 23:50:28 +0000
Module Name: src
Committed By: riastradh
Date: Fri Mar 1 23:50:28 UTC 2024
Modified Files:
src/sys/netinet6: in6.c
Log Message:
netinet6: Avoid NPD on `ifconfig ifN inet6 ... pltime 0 vltime 0'.
PR kern/53922
To generate a diff of this commit:
cvs rdiff -u -r1.291 -r1.292 src/sys/netinet6/in6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->pending-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 01 Mar 2024 23:57:07 +0000
State-Changed-Why:
pullup-10 #619
pullup-9 #1812
pullup-8 #1944
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53922 CVS commit: [netbsd-10] src/sys/netinet6
Date: Sun, 10 Mar 2024 19:11:07 +0000
Module Name: src
Committed By: martin
Date: Sun Mar 10 19:11:07 UTC 2024
Modified Files:
src/sys/netinet6 [netbsd-10]: in6.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #619):
sys/netinet6/in6.c: revision 1.292
netinet6: Avoid NPD on `ifconfig ifN inet6 ... pltime 0 vltime 0'.
PR kern/53922
To generate a diff of this commit:
cvs rdiff -u -r1.288.2.2 -r1.288.2.3 src/sys/netinet6/in6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53922 CVS commit: [netbsd-9] src/sys/netinet6
Date: Sun, 10 Mar 2024 19:12:05 +0000
Module Name: src
Committed By: martin
Date: Sun Mar 10 19:12:05 UTC 2024
Modified Files:
src/sys/netinet6 [netbsd-9]: in6.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1812):
sys/netinet6/in6.c: revision 1.292
netinet6: Avoid NPD on `ifconfig ifN inet6 ... pltime 0 vltime 0'.
PR kern/53922
To generate a diff of this commit:
cvs rdiff -u -r1.275.2.2 -r1.275.2.3 src/sys/netinet6/in6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53922 CVS commit: [netbsd-8] src/sys/netinet6
Date: Sun, 10 Mar 2024 19:13:09 +0000
Module Name: src
Committed By: martin
Date: Sun Mar 10 19:13:09 UTC 2024
Modified Files:
src/sys/netinet6 [netbsd-8]: in6.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1944):
sys/netinet6/in6.c: revision 1.292
netinet6: Avoid NPD on `ifconfig ifN inet6 ... pltime 0 vltime 0'.
PR kern/53922
To generate a diff of this commit:
cvs rdiff -u -r1.245.2.14 -r1.245.2.15 src/sys/netinet6/in6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Responsible-Changed-From-To: kern-bug-people->riastradh
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Tue, 02 Apr 2024 22:20:00 +0000
Responsible-Changed-Why:
mine
State-Changed-From-To: pending-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Tue, 02 Apr 2024 22:20:00 +0000
State-Changed-Why:
fixed and pulled up to 10, 9, 8
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.