NetBSD Problem Report #47576
From t-hash@abox3.so-net.ne.jp Mon Feb 18 13:11:41 2013
Return-Path: <t-hash@abox3.so-net.ne.jp>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id 345CA63E500
for <gnats-bugs@gnats.NetBSD.org>; Mon, 18 Feb 2013 13:11:41 +0000 (UTC)
Message-Id: <201302181311.r1IDBZWi011770@ms-omx12.plus.so-net.ne.jp>
Date: Mon, 18 Feb 2013 22:11:35 +0900
From: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>
To: gnats-bugs@gnats.NetBSD.org
Subject: deleting interface that does not have ipv6 link-local address causes kernel panic
>Number: 47576
>Category: kern
>Synopsis: deleting interface that does not have ipv6 link-local address causes kernel panic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Feb 18 13:15:00 +0000 2013
>Closed-Date: Thu Aug 08 22:02:41 +0000 2013
>Last-Modified: Thu Aug 08 22:02:41 +0000 2013
>Originator: Takahiro HAYASHI
>Release: NetBSD 6.99.16
>Organization:
>Environment:
System: NetBSD ruin 6.99.16 NetBSD 6.99.16 (MONOLITHIC) #0: Wed Feb 13 13:56:34 UTC 2013 builds@b7.netbsd.org:/home/builds/ab/HEAD/i386/201302130710Z-obj/home/builds/ab/HEAD/src/sys/arch/i386/compile/MONOLITHIC i386
Architecture: i386
Machine: i386
>Description:
Deleting interface that does not have ipv6 link-local address
causes kernel panic.
Unplug'ing USB ethernet adapter that does not have ipv6
link-local address also causes panic.
# ifconfig tap0 create up
# ifconfig tap0
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ec_capabilities=5<VLAN_MTU,JUMBO_MTU>
ec_enabled=0
address: f2:0b:a4:4c:05:7e
media: Ethernet autoselect
inet6 fe80::f00b:a4ff:fe4c:57e%tap0 prefixlen 64 scopeid 0x4
# ifconfig tap0 inet6 `ifconfig tap0|grep fe80|awk '{print $2}'` delete
# ifconfig tap0
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ec_capabilities=5<VLAN_MTU,JUMBO_MTU>
ec_enabled=0
address: f2:0b:a4:4c:05:7e
media: Ethernet autoselect
# ifconfig tap0 destroy
uvm_fault(0xc1fc9eec, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c06457fc cs 8 eflags 10246 cr2 10 ilevel 6 esp 4
curlwp 0xc1fb9560 pid 402 lid 1 lowest kstack 0xd87b3000
kernel: supervisor trap page fault, code=0
Stopped in pid 402.1 (ifconfig) at netbsd:prelist_remove+0xd2: movl 1
0(%esi),%edx
db{0}> bt
prelist_remove(c1c9f084,d87b5900,c1c49320,d87b586c,c04d0629,c1c49320,c1c49320,c0
766c70,c1c49320,c1c49320) at netbsd:prelist_remove+0xd2
nd6_purge(c1c49320,c1c49320,c0766c70,c1c49320,c1c49320,0,d87b586c,c04cbce0,c1c49
320,d87b5900) at netbsd:nd6_purge+0x105
in6_ifdetach(c1c49320,c1c49320,c04cea91,c0ce02a0,ffffffff,c1ee27a0,c1fb9560,1,c1
fb9560,c1c49320) at netbsd:in6_ifdetach+0x1c
udp6_usrreq(d87b5900,16,0,0,c1c49320,c1fb9560,c1c49320,d87b5a60,c03b1c89,d87b590
0) at netbsd:udp6_usrreq+0x275
udp6_usrreq_wrapper(d87b5900,16,0,0,c1c49320,c1fb9560,d87b5900,0,0,0) at netbsd:
udp6_usrreq_wrapper+0x41
if_detach(c1c49320,4,12,455,0,ffffffff,0,c0c749a0,c1b8f040,c0cdf820) at netbsd:i
f_detach+0x203
tap_detach(c1b8f040,0,c0bb1bc5,d87b5ad4,c03b0010,c1c0e000,c0bb1bc1,3,c1c49320,c1
c0e000) at netbsd:tap_detach+0xc3
config_detach(c1b8f040,0,80906979,0,c1c49320,d87b5bd4,c03b2c06,c1b8f040,4,14) at
netbsd:config_detach+0xc4
tap_clone_destroyer(c1b8f040,4,14,c1c49320,80906979,0,0,c1fb9560,c1b87618,c1c0e0
00) at netbsd:tap_clone_destroyer+0x26
ifioctl(c1fd17cc,80906979,c1c0e000,c1fb9560,0,c1022980,d87b5c24,80906979,d87b5d0
0,c1c2b440) at netbsd:ifioctl+0x430
soo_ioctl(c1c2b440,80906979,c1c0e000,c1feae1c,c1feae40,c1fead80,d87b5c48,c055dd7
d,90,c1fead80) at netbsd:soo_ioctl+0x2c5
sys_ioctl(c1fb9560,d87b5d00,d87b5d28,c1fc9eec,0,36,c1ca21b4,d87b5d00,3,80906979)
at netbsd:sys_ioctl+0x1b2
syscall() at netbsd:syscall+0x89
--- syscall (number 54) ---
bbb3ef27:
db{0}>
>How-To-Repeat:
Type following commands.
ifconfig tap0 create up
ifconfig tap0 inet6 `ifconfig tap0|grep fe80|awk '{print $2}'` delete
ifconfig tap0 destroy
>Fix:
Not known.
You can avoid panic by adding ipv6 link-local address before
you delete the interface.
--
t-hash
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47576 CVS commit: src/sys/netinet6
Date: Mon, 18 Feb 2013 11:45:51 -0500
Module Name: src
Committed By: christos
Date: Mon Feb 18 16:45:50 UTC 2013
Modified Files:
src/sys/netinet6: nd6_rtr.c
Log Message:
PR/47576: Takahiro HAYASHI: Avoid crash destroying tap0 after deleting
it's link-local address.
To generate a diff of this commit:
cvs rdiff -u -r1.85 -r1.86 src/sys/netinet6/nd6_rtr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 18 Feb 2013 23:35:52 +0000
State-Changed-Why:
Christos fixed it. And since AFAICT the wrong code isn't in netbsd-6,
there looks to be no need for pullups.
From: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, netbsd-bugs@NetBSD.org, gnats-admin@NetBSD.org,
dholland@NetBSD.org
Subject: Re: kern/47576 (deleting interface that does not have ipv6 link-local address causes kernel panic)
Date: Wed, 31 Jul 2013 20:09:28 +0900
On Mon, 18 Feb 2013 23:35:53 +0000 (UTC)
dholland@NetBSD.org wrote:
> Synopsis: deleting interface that does not have ipv6 link-local address causes kernel panic
>
> State-Changed-From-To: open->closed
> State-Changed-By: dholland@NetBSD.org
> State-Changed-When: Mon, 18 Feb 2013 23:35:52 +0000
> State-Changed-Why:
> Christos fixed it. And since AFAICT the wrong code isn't in netbsd-6,
> there looks to be no need for pullups.
This need to be pulled-up to netbsd-6{,-0,-1}.
ipv6 DoS attack avoidance is now pulled-up to netbsd-6*, but this
revision of nd6_rtr.c does not include diff -r1.85 -r1.86.
http://mail-index.netbsd.org/source-changes/2013/07/08/msg045300.html
From: Masanobu SAITOH <msaitoh@execsw.org>
To: gnats-bugs@NetBSD.org
Cc: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>,
kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org, msaitoh@execsw.org
Subject: Re: kern/47576 (deleting interface that does not have ipv6 link-local
address causes kernel panic)
Date: Thu, 01 Aug 2013 12:39:34 +0900
(2013/07/31 20:10), Takahiro HAYASHI wrote:
> The following reply was made to PR kern/47576; it has been noted by GNATS.
>
> From: Takahiro HAYASHI <t-hash@abox3.so-net.ne.jp>
> To: gnats-bugs@NetBSD.org
> Cc: kern-bug-people@NetBSD.org, netbsd-bugs@NetBSD.org, gnats-admin@NetBSD.org,
> dholland@NetBSD.org
> Subject: Re: kern/47576 (deleting interface that does not have ipv6 link-local address causes kernel panic)
> Date: Wed, 31 Jul 2013 20:09:28 +0900
>
> On Mon, 18 Feb 2013 23:35:53 +0000 (UTC)
> dholland@NetBSD.org wrote:
>
> > Synopsis: deleting interface that does not have ipv6 link-local address causes kernel panic
> >
> > State-Changed-From-To: open->closed
> > State-Changed-By: dholland@NetBSD.org
> > State-Changed-When: Mon, 18 Feb 2013 23:35:52 +0000
> > State-Changed-Why:
> > Christos fixed it. And since AFAICT the wrong code isn't in netbsd-6,
> > there looks to be no need for pullups.
>
> This need to be pulled-up to netbsd-6{,-0,-1}.
>
> ipv6 DoS attack avoidance is now pulled-up to netbsd-6*, but this
> revision of nd6_rtr.c does not include diff -r1.85 -r1.86.
> http://mail-index.netbsd.org/source-changes/2013/07/08/msg045300.html
>
I sent the pullup request now.
http://releng.netbsd.org/cgi-bin/req-6.cgi?show=926
--
-----------------------------------------------
SAITOH Masanobu (msaitoh@execsw.org
msaitoh@netbsd.org)
State-Changed-From-To: closed->pending-pullups
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 02 Aug 2013 04:41:42 +0000
State-Changed-Why:
pullup-6 #926
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47576 CVS commit: [netbsd-6-0] src/sys/netinet6
Date: Thu, 8 Aug 2013 21:55:19 +0000
Module Name: src
Committed By: snj
Date: Thu Aug 8 21:55:19 UTC 2013
Modified Files:
src/sys/netinet6 [netbsd-6-0]: nd6_rtr.c
Log Message:
Pull up following revision(s) (requested by msaitoh in ticket #926):
sys/netinet6/nd6_rtr.c: revision 1.86
PR/47576: Takahiro HAYASHI: Avoid crash destroying tap0 after deleting
it's link-local address.
To generate a diff of this commit:
cvs rdiff -u -r1.82.8.2 -r1.82.8.3 src/sys/netinet6/nd6_rtr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47576 CVS commit: [netbsd-6-1] src/sys/netinet6
Date: Thu, 8 Aug 2013 21:57:40 +0000
Module Name: src
Committed By: snj
Date: Thu Aug 8 21:57:40 UTC 2013
Modified Files:
src/sys/netinet6 [netbsd-6-1]: nd6_rtr.c
Log Message:
Pull up following revision(s) (requested by msaitoh in ticket #926):
sys/netinet6/nd6_rtr.c: revision 1.86
PR/47576: Takahiro HAYASHI: Avoid crash destroying tap0 after deleting
it's link-local address.
To generate a diff of this commit:
cvs rdiff -u -r1.82.10.2 -r1.82.10.3 src/sys/netinet6/nd6_rtr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47576 CVS commit: [netbsd-6] src/sys/netinet6
Date: Thu, 8 Aug 2013 21:58:55 +0000
Module Name: src
Committed By: snj
Date: Thu Aug 8 21:58:55 UTC 2013
Modified Files:
src/sys/netinet6 [netbsd-6]: nd6_rtr.c
Log Message:
Pull up following revision(s) (requested by msaitoh in ticket #926):
sys/netinet6/nd6_rtr.c: revision 1.86
PR/47576: Takahiro HAYASHI: Avoid crash destroying tap0 after deleting
it's link-local address.
To generate a diff of this commit:
cvs rdiff -u -r1.82.4.2 -r1.82.4.3 src/sys/netinet6/nd6_rtr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: snj@NetBSD.org
State-Changed-When: Thu, 08 Aug 2013 22:02:41 +0000
State-Changed-Why:
Pulled up.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.