From nobody Tue Sep 30 17:35:30 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cblZY3Wj5z69QlP; Tue, 30 Sep 2025 17:35:33 +0000 (UTC) (envelope-from glebius@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cblZY338Xz3GM3; Tue, 30 Sep 2025 17:35:33 +0000 (UTC) (envelope-from glebius@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759253733; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=w2/RgdLhLSYQnIVewohMFFk3CX3XWNtJmjWYDGyQvEQ=; b=O/nZ4c/F3l50m2RQKUeNDkJN4hmo4HFPhxsFI+BlPDGVGvuKDpHwlN5V4jC9wKmTI5RJ6j ET/p3+DihsJL2mWGWcyPTRwOFPdWhZPKfMAk/3yy0MRzYFdCUXziiYi+D7lxE0U4Bg1urV eOZqoQOrW9ItLOJzPvidFE7mCVByTzpa19GBherJyyvtkdpJUBhsBlvQ6AyIAShi1ShYz/ zpaXZm5V++F6swIx0PiwXriiWzbDdK2waycKc0CE5SjZYpSMS+XHS3mYaMoQ8mkFu0FdgK fNOt5eH5+knuRr6nH2e+PbC7mgjFAuIkp2q/2DQq2Mk4zhNNDBY+oEKP20cvkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759253733; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=w2/RgdLhLSYQnIVewohMFFk3CX3XWNtJmjWYDGyQvEQ=; b=u3TQFQXZWfkAg/uzwmGxgH1pzXd4qGNCmGB+Ti7B2AV7v9H+ieV2k97qVl+3fltHwa4nYg WzrYXgNqsfTEwaP2e9SdjjerNA+2Qr4pUnDjFeRASxykW98jR/zL0iEsJit51WscsNsVCL H4g2FTVlHDNfSyg+B3oDujwlZDeE8zUhW+4i6sikYlx0Nv4/y6NTdJyjVAUUQ98xwSOTII AiZD26Dtc1IUbDGuG/duKqdhCykdZWt26UNWM2PVRwU7QP0pwh/6nCsTgf+M4LtflDaPqK DfPyMhDHrufAF8koOyg+UBAcVaN/C1dbQ+/8r4epcOKPWyCCTK4Zz1Wl33/uAw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759253733; a=rsa-sha256; cv=none; b=GU31bP9guGPl53rxiStBaJpU9Z0fpOsCfKSApGB6LM25DPd1NEtILBA4puqpER8i6MhjcF P1FbqgZIrOVrilNbnzB0yIH0dKiR1/s8YDqKAtlV2TC4GlsNQ0VQg0nwAz527QbAlhiqPF /1AAs79lvtlFv1fH1x4zHXcw04/ITOjJpBzlJFQ/fqyUA1NCCHUGbMiLSRQPCp8R+8NhAi 310xqBRa7JgP/Zu4pZxukliVN4I8IcfL0VsHVawxyjhRuwdgMlB2wZu/gSov+gtvR8BKu3 +YVNG5d9N8DKkV/K9mIfJigWUhxZd3gCyRHiEiWuLN/CujTkITsBIGJ4/vM+Mg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from cell.glebi.us (glebi.us [162.251.186.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: glebius) by smtp.freebsd.org (Postfix) with ESMTPSA id 4cblZX5GXcz10RB; Tue, 30 Sep 2025 17:35:32 +0000 (UTC) (envelope-from glebius@freebsd.org) Date: Tue, 30 Sep 2025 10:35:30 -0700 From: Gleb Smirnoff To: Mateusz Guzik , Zhenlei Huang Cc: src-committers@freebsd.org, "" , "dev-commits-src-main@FreeBSD.org" Subject: Re: svn commit: r256519 - in head/sys: net netatalk netinet netinet6 netipx Message-ID: References: <201310151031.r9FAVgRP008282@svn.freebsd.org> List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Mateusz, On Mon, Sep 29, 2025 at 04:29:10PM +0200, Mateusz Guzik wrote: M> We have crashes stemming from this: M> M> panic: ifa_alloc: invalid size 16 M> M> panic() at panic+0x43/frame 0xfffffe009e777760 M> ifa_alloc() at ifa_alloc+0xd6/frame 0xfffffe009e777780 M> in6_ifadd() at in6_ifadd+0xd8/frame 0xfffffe009e7778a0 M> nd6_ra_input() at nd6_ra_input+0x1023/frame 0xfffffe009e777a80 M> icmp6_input() at icmp6_input+0x5b6/frame 0xfffffe009e777c00 M> ip6_input() at ip6_input+0xc94/frame 0xfffffe009e777ce0 M> sppp_input() at sppp_input+0x502/frame 0xfffffe009e777d70 M> pppoe_data_input() at pppoe_data_input+0x1e7/frame 0xfffffe009e777de0 M> swi_net() at swi_net+0x19b/frame 0xfffffe009e777e60 M> ithread_loop() at ithread_loop+0x266/frame 0xfffffe009e777ef0 M> fork_exit() at fork_exit+0x82/frame 0xfffffe009e777f30 M> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe009e777f30 M> M> in6_ifadd has: M> struct in6_addr taddr; M> ifa = ifa_alloc(sizeof(taddr), M_WAITOK); M> M> should the assert be simply removed? As Zhenlei already noticed sizeof(taddr) is incorrect there. But why are you the first to catch this panic? Even before my change in 2013 this code was incorrect, it would allocate too little memory for struct ifaddr and would later lead to trashing adjacent memory. Even the function itself will immeditely read memory in front of the allocation. I guess this branch was never ever executed since export from KAME. There are two possibilities here: 1) in6ifa_ifpforlinklocal() returns NULL. Your external pppoe/sppp interface doesn't have link local address assigned, but is already receiving incoming traffic. This is what needs to be fixed. I'm not netinet6 expert enough to say what mechanism prevents other ifnet types to get into this state, but definitely there something special about yours. 2) We are hitting (prefixlen != plen0) branch. Do you see the printf "%s: wrong prefixlen for %s (prefix=%d ifid=%d)\n" before the panic? Most likely this is 1). Your interace type needs to be fixed and this function reduced of code that shall never happen. -- Gleb Smirnoff