From owner-svn-src-head@freebsd.org Mon Nov 18 22:04:18 2019 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E13591CAD5C; Mon, 18 Nov 2019 22:04:18 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47H2zk5Qc7z4bpv; Mon, 18 Nov 2019 22:04:18 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:13b:39f::9f:25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) (Authenticated sender: bz/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 53A60BEEE; Mon, 18 Nov 2019 22:04:18 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 3DA4E8D4A166; Mon, 18 Nov 2019 22:04:17 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id B418EE708A7; Mon, 18 Nov 2019 22:04:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 5JO252xySknt; Mon, 18 Nov 2019 22:04:14 +0000 (UTC) Received: from [192.168.2.110] (unknown [IPv6:fde9:577b:c1a9:31:7c23:6b40:bb8b:b641]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 3196CE707B4; Mon, 18 Nov 2019 22:04:14 +0000 (UTC) From: "Bjoern A. Zeeb" To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r354832 - in head: sys/netinet6 tests/sys/netinet6 Date: Mon, 18 Nov 2019 22:04:13 +0000 X-Mailer: MailMate (2.0BETAr6142) Message-ID: In-Reply-To: <201911182159.xAILxmAt068529@repo.freebsd.org> References: <201911182159.xAILxmAt068529@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Nov 2019 22:04:18 -0000 On 18 Nov 2019, at 21:59, Bjoern A. Zeeb wrote: > Author: bz > Date: Mon Nov 18 21:59:47 2019 > New Revision: 354832 > URL: https://svnweb.freebsd.org/changeset/base/354832 > > Log: > icmpv6: Fix mbuf change in mld > > After r354748 mld_input() can change the mbuf. The new pointer > is never returned to icmp6_input() and when passed to > icmp6_rip6_input() the mbuf may no longer valid leading to > a panic. > Pass a pointer to the mbuf to mld_input() so we can return an > updated version in the non-error case. > > Add a test sending an MLD packet case which will trigger this bug. The test case currently (after this commit) also triggers an epoch assert which is unrelated to these changes. Just in case anyone wonders in case they still see a panic with the changes applied. The original problem manifested itself like this: Fatal trap 9: general protection fault while in kernel mode cpuid = 0; apic id = 02 instruction pointer = 0x20:0xffffffff80e0a7e3 stack pointer = 0x28:0xfffffe00acfea5f0 frame pointer = 0x28:0xfffffe00acfea780 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (swi1: netisr 0) trap number = 9 panic: general protection fault cpuid = 0 time = 1574113185 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00acfea2d0 vpanic() at vpanic+0x17e/frame 0xfffffe00acfea330 panic() at panic+0x43/frame 0xfffffe00acfea390 trap_fatal() at trap_fatal+0x386/frame 0xfffffe00acfea3f0 trap() at trap+0x67/frame 0xfffffe00acfea520 calltrap() at calltrap+0x8/frame 0xfffffe00acfea520 --- trap 0x9, rip = 0xffffffff80e0a7e3, rsp = 0xfffffe00acfea5f0, rbp = 0xfffffe00acfea780 --- icmp6_input() at icmp6_input+0xf83/frame 0xfffffe00acfea780 ip6_input() at ip6_input+0xd1e/frame 0xfffffe00acfea860 netisr_dispatch_src() at netisr_dispatch_src+0xb1/frame 0xfffffe00acfea8e0 ether_demux() at ether_demux+0x16e/frame 0xfffffe00acfea910 ether_nh_input() at ether_nh_input+0x408/frame 0xfffffe00acfea970 netisr_dispatch_src() at netisr_dispatch_src+0xb1/frame 0xfffffe00acfea9f0 ether_input() at ether_input+0x9d/frame 0xfffffe00acfeaa70 epair_nh_sintr() at epair_nh_sintr+0x17/frame 0xfffffe00acfeaa90 swi_net() at swi_net+0x1c3/frame 0xfffffe00acfeab50 ithread_loop() at ithread_loop+0x1c6/frame 0xfffffe00acfeabb0 fork_exit() at fork_exit+0x80/frame 0xfffffe00acfeabf0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00acfeabf0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic [ thread pid 12 tid 100027 ] Stopped at kdb_enter+0x37: movq $0,0x108a776(%rip)