Date: Mon, 16 Jul 2018 14:56:01 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 229807] route6d terminate with signal 11 Message-ID: <bug-229807-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229807 Bug ID: 229807 Summary: route6d terminate with signal 11 Product: Base System Version: 11.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: misc Assignee: bugs@FreeBSD.org Reporter: john@sanren.ac.za Created attachment 195173 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D195173&action= =3Dedit patch that I am using I have a small ntp server (PC Engines APU), with an ipv6 subnet on lo0 with route6d to advertise it. A few minutes after almost every reboot, route6d w= ill crash with a sig 11. If I then restart route6d, it will run until the next = time I reboot. I think it is when re0 finally gets a global ipv6 address. Currently it is running 11.2, but the problem is not new. It has been there= in 10.x and before. A sanitised piece of rc.conf looks like this: <snip> # Disable to make ipv6 work ifconfig_re0=3D"-rxcsum -txcsum" ipv4_addrs_re0=3D"X.Y.8.18/24" ipv4_addrs_lo0=3D"X.Y.58.41/32" ifconfig_re0_ipv6=3D"inet6 accept_rtadv" ifconfig_lo0_alias0=3D"inet6 2001:A:B:C::1/64" defaultrouter=3D"X.Y.8.1" route6d_enable=3D"YES" route6d_flags=3D"-s" ipv6_gateway_enable=3D"YES" </snip> Gdb says: <snip> root@tick:/ # gdb /usr/sbin/route6d /route6d.old.core GNU gdb 6.1.1 [FreeBSD] ... Core was generated by `/usr/sbin/route6d -s'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.7...Reading symbols from /usr/lib/debug//lib/libc.so.7.debug...done. done. Loaded symbols for /lib/libc.so.7 Reading symbols from /libexec/ld-elf.so.1...Reading symbols from /usr/lib/debug//libexec/ld-elf.so.1.debug...done. done. Loaded symbols for /libexec/ld-elf.so.1 #0 ifrt (ifcp=3D0x800e38000, again=3D1) at /usr/src/usr.sbin/route6d/route6d.c:2206 2206 TAILQ_REMOVE(&riprt_head, rrt, rrt_next); (gdb) </snip> Looking at the code, I think rrt should not be removed, but rather search_r= rt and it should be freed afterwards? Route6d has now survived a few reboots w= ith the following patch. <snip> --- route6d.c.org 2018-06-22 01:03:51.000000000 +0200 +++ route6d.c 2018-07-08 08:23:53.279925000 +0200 @@ -2203,8 +2203,9 @@ goto next; } - TAILQ_REMOVE(&riprt_head, rrt, rrt_next); - delroute(&rrt->rrt_info, &rrt->rrt_gw); + TAILQ_REMOVE(&riprt_head, search_rrt, rrt_next); + delroute(&search_rrt->rrt_info, &search_rrt->rrt_gw); + free(search_rrt); } /* Attach the route to the list */ trace(1, "route: %s/%d: register route (%s)\n", </snip> --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-229807-227>