Date: Mon, 18 Nov 2019 22:04:13 +0000 From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r354832 - in head: sys/netinet6 tests/sys/netinet6 Message-ID: <C11361E3-8BD2-49BE-9E13-B3BD5D777B5F@FreeBSD.org> In-Reply-To: <201911182159.xAILxmAt068529@repo.freebsd.org> References: <201911182159.xAILxmAt068529@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18 Nov 2019, at 21:59, Bjoern A. Zeeb wrote: > Author: bz > Date: Mon Nov 18 21:59:47 2019 > New Revision: 354832 > URL: https://svnweb.freebsd.org/changeset/base/354832 > > Log: > icmpv6: Fix mbuf change in mld > > After r354748 mld_input() can change the mbuf. The new pointer > is never returned to icmp6_input() and when passed to > icmp6_rip6_input() the mbuf may no longer valid leading to > a panic. > Pass a pointer to the mbuf to mld_input() so we can return an > updated version in the non-error case. > > Add a test sending an MLD packet case which will trigger this bug. The test case currently (after this commit) also triggers an epoch assert which is unrelated to these changes. Just in case anyone wonders in case they still see a panic with the changes applied. The original problem manifested itself like this: Fatal trap 9: general protection fault while in kernel mode cpuid = 0; apic id = 02 instruction pointer = 0x20:0xffffffff80e0a7e3 stack pointer = 0x28:0xfffffe00acfea5f0 frame pointer = 0x28:0xfffffe00acfea780 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (swi1: netisr 0) trap number = 9 panic: general protection fault cpuid = 0 time = 1574113185 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00acfea2d0 vpanic() at vpanic+0x17e/frame 0xfffffe00acfea330 panic() at panic+0x43/frame 0xfffffe00acfea390 trap_fatal() at trap_fatal+0x386/frame 0xfffffe00acfea3f0 trap() at trap+0x67/frame 0xfffffe00acfea520 calltrap() at calltrap+0x8/frame 0xfffffe00acfea520 --- trap 0x9, rip = 0xffffffff80e0a7e3, rsp = 0xfffffe00acfea5f0, rbp = 0xfffffe00acfea780 --- icmp6_input() at icmp6_input+0xf83/frame 0xfffffe00acfea780 ip6_input() at ip6_input+0xd1e/frame 0xfffffe00acfea860 netisr_dispatch_src() at netisr_dispatch_src+0xb1/frame 0xfffffe00acfea8e0 ether_demux() at ether_demux+0x16e/frame 0xfffffe00acfea910 ether_nh_input() at ether_nh_input+0x408/frame 0xfffffe00acfea970 netisr_dispatch_src() at netisr_dispatch_src+0xb1/frame 0xfffffe00acfea9f0 ether_input() at ether_input+0x9d/frame 0xfffffe00acfeaa70 epair_nh_sintr() at epair_nh_sintr+0x17/frame 0xfffffe00acfeaa90 swi_net() at swi_net+0x1c3/frame 0xfffffe00acfeab50 ithread_loop() at ithread_loop+0x1c6/frame 0xfffffe00acfeabb0 fork_exit() at fork_exit+0x80/frame 0xfffffe00acfeabf0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00acfeabf0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 12 tid 100027 ] Stopped at kdb_enter+0x37: movq $0,0x108a776(%rip)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C11361E3-8BD2-49BE-9E13-B3BD5D777B5F>