NetBSD Problem Report #56455
From www@netbsd.org Fri Oct 15 05:51:36 2021
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id E70D91A9FC7
for <gnats-bugs@gnats.NetBSD.org>; Fri, 15 Oct 2021 05:51:35 +0000 (UTC)
Message-Id: <20211015032440.3EA3F1A923B@mollari.NetBSD.org>
Date: Fri, 15 Oct 2021 03:24:40 +0000 (UTC)
From: s-yamaguchi@iij.ad.jp
Reply-To: s-yamaguchi@iij.ad.jp
To: gnats-bugs@NetBSD.org
Subject: panic in if_get_bylla when if_set_sadl is called
X-Send-Pr-Version: www-1.0
>Number: 56455
>Category: kern
>Synopsis: panic in if_get_bylla when if_set_sadl is called
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Oct 15 05:55:00 +0000 2021
>Originator: Shoichi Yamaguchi
>Release: NetBSD 9.99.91
>Organization:
Internet Initiative Japan Inc.
>Environment:
NetBSD hidden 9.99.91 NetBSD 9.99.91 (GENERIC) #12: Fri Oct 15 09:21:21 JST 2021 hidden/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
[ 478.9688824] fatal page fault in supervisor mode
[ 478.9796964] trap type 6 code 0 rip 0xffffffff80dfccc3 cs 0x8 rflags 0x10246 cr2 0x5 ilevel 0x5 rsp 0xffffb180af52ce30
[ 478.9902694] curlwp 0xffff9aa6c5205480 pid 0.3 lowest kstack 0xffffb180af5282c0
kernel: page fault trap, code=0
Stopped in pid 0.3 (system) at netbsd:if_get_bylla+0x60: movzbl 5(%rax),
%edx
if_get_bylla() at netbsd:if_get_bylla+0x60
in_arpinput() at netbsd:in_arpinput+0xb5
arpintr() at netbsd:arpintr+0x160
softint_dispatch() at netbsd:softint_dispatch+0xf2
DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xffffb180af52d0f0
Xsoftintr() at netbsd:Xsoftintr+0x4f
--- interrupt ---
0:
ds 84
es 74
fs 20
gs 70e0
rdi ffff9aa5562bc016
rsi ffff9aa555d08523
rbp ffffb180af52ce80
rbx 6
rdx 6
rcx e2
rax 0
r8 0
r9 ffff9aa5574a2808
r10 ffff9aa5562bc00e
r11 dead
r12 ffff9aa5562bc016
r13 6
r14 4
r15 ffff9aa5574a2808
rip ffffffff80dfccc3 if_get_bylla+0x60
cs 8
rflags 10246
rsp ffffb180af52ce30
ss 10
netbsd:if_get_bylla+0x60: movzbl 5(%rax),%edx
db{0}>
if_deactivate_sadl() called from if_set_sadl stores NULL to ifp->if_sadl,
and if_get_bylla() refers ifp->if_sadl.Both of two are doing without lock
or other exclusive controls.
Therefore, the panic is appeared when doing commands that changes MAC
address e.g. "ifconfig vlan0 vlan 1 vlanif wm0" and
"ifconfig lagg0 laggport wm0", and receiving ARP frames at the same time.
>How-To-Repeat:
HOST-A% ifconfig wm0 192.168.0.1/24
HOST-A% arping -q -f 192.168.0.254
TARGET% ifconfig wm0 192.168.0.2/24
TARGET% ifconfig vlan0 create
TARGET% while true
do
ifconfig vlan0 vlan 1 vlanif wm1
sleep 0.$((RANDOM % 9 + 1))
ifconfig vlan0 -vlanif
sleep 0.$((RANDOM % 9 + 1))
done
----
I applied the following patch for the kernel of TARGET to cause the panic easily.
index 130ca14235a..41b5c2dea66 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -520,8 +520,10 @@ if_alloc_sadl(struct ifnet *ifp)
* now. This is useful for interfaces that can change
* link types, and thus switch link names often.
*/
- if (ifp->if_sadl != NULL)
+ if (ifp->if_sadl != NULL) {
if_free_sadl(ifp, 0);
+ delay(10000);
+ }
ifa = if_dl_create(ifp, &sdl);
>Fix:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.