Date: Tue, 29 Mar 2011 11:34:55 +0200 (CEST) From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/156030: Crash in nd6_dad_start() due to null ptr dereference Message-ID: <20110329093455.BD4B5239460@lagoon.freebsd.lublin.pl> Resent-Message-ID: <201103290940.p2T9e9uL088520@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 156030
>Category: kern
>Synopsis: Crash in nd6_dad_start() due to null ptr dereference
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 29 09:40:08 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Przemyslaw Frasunek
>Release: FreeBSD 7.4-RELEASE i386
>Organization:
Nette sp. z o.o.
>Environment:
FreeBSD 7.4-RELEASE, GENERIC kernel, mpd5 with 200+ PPPoE interfaces,
IPv6 enabled
>Description:
Spurious crashes in nd6_dad_start()
(kgdb) bt
#0 doadump () at pcpu.h:197
#1 0xc085aa03 in boot (howto=260) at ../../../kern/kern_shutdown.c:421
#2 0xc085acd7 in panic (fmt=Variable "fmt" is not available.
) at ../../../kern/kern_shutdown.c:576
#3 0xc0b87cfc in trap_fatal (frame=0xe874386c, eva=392)
at ../../../i386/i386/trap.c:950
#4 0xc0b87f80 in trap_pfault (frame=0xe874386c, usermode=0, eva=392)
at ../../../i386/i386/trap.c:863
#5 0xc0b8895c in trap (frame=0xe874386c) at
../../../i386/i386/trap.c:541
#6 0xc0b6b27b in calltrap () at ../../../i386/i386/exception.s:166
#7 0xc084a374 in _mtx_lock_sleep (m=0xc743c67c, tid=3415908928, opts=0,
file=0x0, line=0) at ../../../kern/kern_mutex.c:339
#8 0xc09edc36 in nd6_dad_start (ifa=0xc743c600, delay=171)
at ../../../netinet6/nd6_nbr.c:1180
#9 0xc09d8810 in in6_update_ifa (ifp=0xc5c29800, ifra=0xe8743a4c,
ia=0xc743c600, flags=Variable "flags" is not available.
) at ../../../netinet6/in6.c:1306
#10 0xc09db9fd in in6_ifattach (ifp=0xc5c29800, altifp=0x0)
at ../../../netinet6/in6_ifattach.c:466
#11 0xc09d68d7 in in6_if_up (ifp=0xc5c29800) at
../../../netinet6/in6.c:2151
#12 0xc08fb1a5 in ifioctl (so=0xcad05d00, cmd=2151704858,
data=0xc6c63bc0 "ng9", td=0xcb9aa240) at ../../../net/if.c:2097
#13 0xc089ca02 in soo_ioctl (fp=0xc6625390, cmd=2151704858,
data=0xc6c63bc0,
active_cred=0xc70fa200, td=0xcb9aa240) at
../../../kern/sys_socket.c:204
#14 0xc08956e5 in kern_ioctl (td=0xcb9aa240, fd=33, com=2151704858,
data=0xc6c63bc0 "ng9") at file.h:269
#15 0xc0895844 in ioctl (td=0xcb9aa240, uap=0xe8743cfc)
at ../../../kern/sys_generic.c:571
#16 0xc0b882d5 in syscall (frame=0xe8743d38) at
../../../i386/i386/trap.c:1101
#17 0xc0b6b2e0 in Xint0x80_syscall () at
../../../i386/i386/exception.s:262
#18 0x00000033 in ?? ()
(kgdb) frame 7
#7 0xc084a374 in _mtx_lock_sleep (m=0xc743c67c, tid=3415908928, opts=0,
file=0x0, line=0) at ../../../kern/kern_mutex.c:339
339 owner = (struct thread *)(v & ~MTX_FLAGMASK);
(kgdb) print v
$1 = 6
(kgdb) x/i $eip
0xc084a374 <_mtx_lock_sleep+68>: mov 0x188(%ecx),%eax
(kgdb) info reg ecx
ecx 0x0 0
(kgdb) list
334 * If the owner is running on another CPU, spin until the
335 * owner stops running or the state of the lock changes.
336 */
337 v = m->mtx_lock;
338 if (v != MTX_UNOWNED) {
339 owner = (struct thread *)(v & ~MTX_FLAGMASK);
340 #ifdef ADAPTIVE_GIANT
341 if (TD_IS_RUNNING(owner)) {
342 #else
343 if (m != &Giant && TD_IS_RUNNING(owner)) {
(kgdb) print *m
$2 = {lock_object = {lo_name = 0xc0c3efef "ifaddr",
lo_type = 0xc0c3efef "ifaddr", lo_flags = 16908288, lo_witness_data = {
lod_list = {stqe_next = 0x0}, lod_witness = 0x0}}, mtx_lock = 6, mtx_recurse = 0}
(kgdb) frame 8
#8 0xc09edc36 in nd6_dad_start (ifa=0xc743c600, delay=171)
at ../../../netinet6/nd6_nbr.c:1180
1180 IFAREF(ifa); /* just for safety */
(kgdb) list
1175 * Note that we must delay the first transmission, if this is the
1176 * first packet to be sent from the interface after interface
1177 * (re)initialization.
1178 */
1179 dp->dad_ifa = ifa;
1180 IFAREF(ifa); /* just for safety */
1181 dp->dad_count = ip6_dad_count;
1182 dp->dad_ns_icount = dp->dad_na_icount = 0;
1183 dp->dad_ns_ocount = dp->dad_ns_tcount = 0;
1184 if (delay == 0) {
(kgdb) print *ifa
$3 = {ifa_addr = 0xc743c694, ifa_dstaddr = 0xc743c6cc,
ifa_netmask = 0xc743c6e8, if_data = {ifi_type = 0 '\0',
ifi_physical = 0 '\0', ifi_addrlen = 0 '\0', ifi_hdrlen = 0 '\0',
ifi_link_state = 0 '\0', ifi_spare_char1 = 0 '\0',
ifi_spare_char2 = 0 '\0', ifi_datalen = 0 '\0', ifi_mtu = 0,
ifi_metric = 0, ifi_baudrate = 0, ifi_ipackets = 0, ifi_ierrors = 0,
ifi_opackets = 0, ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 0,
ifi_obytes = 0, ifi_imcasts = 0, ifi_omcasts = 0, ifi_iqdrops = 0,
ifi_noproto = 0, ifi_hwassist = 0, ifi_epoch = 0, ifi_lastchange = { tv_sec = 0, tv_usec = 0}}, ifa_ifp = 0xc5c29800, ifa_link = {
tqe_next = 0x0, tqe_prev = 0xc594f960},
ifa_rtrequest = 0xc09eabc0 <nd6_rtrequest>, ifa_flags = 256, ifa_refcnt = 0,
ifa_metric = 0, ifa_claim_addr = 0, ifa_mtx = {lock_object = {
lo_name = 0xc0c3efef "ifaddr", lo_type = 0xc0c3efef "ifaddr",
lo_flags = 16908288, lo_witness_data = {lod_list = {stqe_next =
0x0},
lod_witness = 0x0}}, mtx_lock = 6, mtx_recurse = 0}}
>How-To-Repeat:
Happens after 20-30 days of uptime.
>Fix:
Unknown.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110329093455.BD4B5239460>