From owner-freebsd-bugs Mon Apr 10 12:30: 6 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5FA0E37B6FD for ; Mon, 10 Apr 2000 12:30:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id MAA16813; Mon, 10 Apr 2000 12:30:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from ada.eu.org (marvin.enst.fr [137.194.161.2]) by hub.freebsd.org (Postfix) with ESMTP id 53B0337B923 for ; Mon, 10 Apr 2000 12:22:40 -0700 (PDT) (envelope-from root@ada.eu.org) Received: from antinea.enst.fr (antinea.enst.fr [137.194.160.145]) by ada.eu.org (Postfix) with ESMTP id D861C19076 for ; Mon, 10 Apr 2000 20:58:55 +0200 (CEST) Received: by antinea.enst.fr (Postfix, from userid 0) id 1FADE409; Mon, 10 Apr 2000 20:58:54 +0200 (CEST) Message-Id: <20000410185854.1FADE409@antinea.enst.fr> Date: Mon, 10 Apr 2000 20:58:54 +0200 (CEST) From: Samuel Tardieu Reply-To: Samuel Tardieu To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/17909: Panic when removing a pccard which has a seen an IPv6 router advertisement Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 17909 >Category: kern >Synopsis: Panic when removing a pccard which has a seen an IPv6 router advertisement >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Apr 10 12:30:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Samuel Tardieu >Release: FreeBSD 5.0-CURRENT i386 >Organization: ENST >Environment: -CURRENT from last week on a Compaq Armada V300 laptop. I am located on an IPv6 enabled network with routers doing advertisement on the Ethernet (another -CURRENT machine btw). >Description: If a PCMCIA card (3C589D, ep0 device) is present in the laptop and is removed after a router advertisement has been seen on the wire, the kernel will panic in the next call to nd6_timer. This is due to the fact that the prefix/router pair is still present with a reference to the now-unexisting interface. The panic occurs in in6ifa_ifpwithaddr, called from line 479 of nd6.c. The prefix structure clearly shows that the prefix/router pair has not been removed (prefix was 3ffe:403:104:a0::/64): (gdb) where #0 in6ifa_ifpwithaddr (ifp=0xc0936a00, addr=0xc09024b8) at ../../netinet6/in6.c:1339 #1 0xc01db173 in nd6_timer (ignored_arg=0x0) at ../../netinet6/nd6.c:479 #2 0xc0159c65 in softclock () at ../../kern/kern_timeout.c:131 (gdb) fr 1 #1 0xc01db173 in nd6_timer (ignored_arg=0x0) at ../../netinet6/nd6.c:479 (gdb) p *pr $4 = {ndpr_ifp = 0xc0936a00, ndpr_entry = {le_next = 0x0, le_prev = 0xc02a697c}, ndpr_prefix = {sin6_len = 28 '\034', sin6_family = 28 '\034', sin6_port = 0, sin6_flowinfo = 0, sin6_addr = { __u6_addr = { __u6_addr8 = "?þ\003\004\001\003\000 \000\000\000\000\000\000\000", __u6_addr16 = {65087, 1027, 769, 40960, 0, 0, 0, 0}, __u6_addr32 = { 67370559, 2684355329, 0, 0}}}, sin6_scope_id = 0}, ndpr_mask = { __u6_addr = {__u6_addr8 = "ÿÿÿÿÿÿÿÿ\000\000\000\000\000\000\000", __u6_addr16 = {65535, 65535, 65535, 65535, 0, 0, 0, 0}, __u6_addr32 = { 4294967295, 4294967295, 0, 0}}}, ndpr_addr = {__u6_addr = { __u6_addr8 = "?þ\003\004\001\003\000 \002`\bÿþC\177Ô", __u6_addr16 = { 65087, 1027, 769, 40960, 24578, 65288, 17406, 54399}, __u6_addr32 = { 67370559, 2684355329, 4278738946, 3565110270}}}, ndpr_vltime = 4294967295, ndpr_pltime = 4294967295, ndpr_expire = 0, ndpr_preferred = 0, ndpr_flags = {onlink = 1 '\001', autonomous = 1 '\001', reserved = 0 '\000'}, ndpr_advrtrs = {lh_first = 0xc09a9e70}, ndpr_plen = 64 '@', ndpr_stateflags = {onlink = 1 '\001'}} However, the interface is not valid anymore: (gdb) p *pr->ndpr_ifp $6 = {if_softc = 0xdeadc0de, if_name = 0xc029e200 "`ä)À°S", if_link = { tqe_next = 0xdeadc0de, tqe_prev = 0xc09c5000}, if_addrhead = { tqh_first = 0xdeadc0de, tqh_last = 0xdeadc0de}, if_pcount = -559038242, if_bpf = 0xdeadc0de, if_index = 49374, if_unit = -8531, if_timer = -16162, if_flags = -8531, if_ipending = -559038242, if_linkmib = 0xdeadc0de, if_linkmiblen = 3735929054, if_data = {ifi_type = 222 'Þ', ifi_physical = 192 'À', ifi_addrlen = 173 '­', ifi_hdrlen = 222 'Þ', ifi_recvquota = 222 'Þ', ifi_xmitquota = 192 'À', ifi_mtu = 3735929054, ifi_metric = 0, ifi_baudrate = 10000000, ifi_ipackets = 1739, ifi_ierrors = 0, ifi_opackets = 26, ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 310488, ifi_obytes = 2035, ifi_imcasts = 1698, ifi_omcasts = 3, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 0, ifi_unused = 0, ifi_lastchange = {tv_sec = 955392108, tv_usec = 92647}}, if_multiaddrs = {lh_first = 0xc092fb80}, if_amcount = 0, if_output = 0xc0193d64 , if_start = 0xc0132fd4 , if_done = 0, if_ioctl = 0xc0133c28 , if_watchdog = 0xc0133d28 , if_poll_recv = 0, if_poll_xmit = 0, if_poll_intren = 0, if_poll_slowinput = 0, if_init = 0xc0132d94 , if_resolvemulti = 0xc0194900 , if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 50, ifq_drops = 0}, if_poll_slowq = 0x0, if_prefixhead = {tqh_first = 0x0, tqh_last = 0xc0936ad0}} >How-To-Repeat: Put an Ethernet card in a laptop on an IPv6 enabled network with router advertisements, wait for a global address to be assigned, then remove the card (or suspend the laptop, this should has the same effect when it resumes as the interface has been brought down when suspending). In fact, if you have a way to completely remove an interface, you should be able to reproduce this without a laptop. >Fix: It looks to me that removing the prefix/router associations bound to an interface when the interface is brought down is the right thing to do. Those pairs are useless when the interface is down, even if present. >Release-Note: >Audit-Trail: >Unformatted: root To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message