From nobody Mon Mar 3 10:13:25 2025
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z5vlp1qLHz5p90V
for <bugs@mlmmj.nyi.freebsd.org>; Mon, 03 Mar 2025 10:13:26 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4Z5vlp04LKz3MbY
for <bugs@FreeBSD.org>; Mon, 03 Mar 2025 10:13:26 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
t=1740996806;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=7wVZ8Rl1uES3UmnoQJjJ2WweOwj2QS4v3b32mfW/vTE=;
b=dAiHOBjl4RtXLtgvPs7k3WsXnO8gmLxwlrg6sAH2IUN5YuviAXAJ1WRfdiPkW/sJCFsN/v
2MjKuoN4IEfwuUkZUAIQGPWxPf0tu2WQvrZVJ1CLpT6FNxLni1ylM3s4gBbNIDYqbo7BNx
DePrdhtYUpHJwFjPvmrzrgS2t9wGdQrzY8xOOCctbcpsiPpgHN7a6bpbC5PecaRzY4uQ/W
Qgt44O34RCdZH6Q1rI38qjXJxkNT+AGiuwZ7wRO1N9O0y/ujjgsbbo3LjAv+d2EaDbGzSa
ndhA6WTuidN4l6gAViPzAPdAt/pfWOR387x9SxTcmmecJnc4MdBkPhQHJwy5qw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1740996806; a=rsa-sha256; cv=none;
b=vWJw4suBUyhyQvY91oW1y5owszKqRpOhbptiNd81v0UbWAK25cO6D6mc4ojIDIrhl1oSJd
/FXBAe50huugIYd4jCwNSx3ZLgLVHZ6mAsRbp4auI+NodIb86kxzsDC0A89UKjraTdqneJ
4fnM9vjAchLy//07bQA32f8vKG1XsTNzoJidcCiNFZmOz85VOtAmzI604w1E+cKO2eHbdM
E4pXUjDP4mAVUb5Wa2nqffORaFVr+5V9laYOgGVXZVXCEIZacHPyxiQykjywvW5RUk9BSc
9/vQCigDLEU71G9vBK74eaFp5Euix03qxir9eC5lVwOj1e5pAnSH83magLI0Jw==
ARC-Authentication-Results: i=1;
mx1.freebsd.org;
none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
s=dkim; t=1740996806;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=7wVZ8Rl1uES3UmnoQJjJ2WweOwj2QS4v3b32mfW/vTE=;
b=ZGa2m0Ya0mG/ou60yHpqduHoOiDcedXlydcfKi2z1xVOhc8xkdAJNQSHDIsaxwLA1L2rcT
xI5AwHpIY6L1bUxsfTbM5jOFEWtoLU5YzRrBgXRSqvhlR0lkJiIprUQW3AaaIMPCEWgHpl
nfPF9j3B6Jn2HZFkHDLvRuoK/VStMleohd8gfxEjGB91kOvAOTgc2bfGgXeYnz2SASHLY2
i04FIIhtl/B74TQBUgXHZTyMZIHP0qCwvJ1hPemLj0I/Iwaymy065nFsF7escwR/oCbBQJ
S/qmP5jqCsI6aKzUk6pw5s0i9OiFPx1ozBKxAtdpABsJt7hVTb/wq+NYayWXLw==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Z5vln6G7Mzk80
for <bugs@FreeBSD.org>; Mon, 03 Mar 2025 10:13:25 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 523ADPXH081229
for <bugs@FreeBSD.org>; Mon, 3 Mar 2025 10:13:25 GMT
(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 523ADPuw081227
for bugs@FreeBSD.org; Mon, 3 Mar 2025 10:13:25 GMT
(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 285129] netinet(6)/route: uninitialized access of ifp->if_data
in ip6_tryforward() with PPPoE/ng interface
Date: Mon, 03 Mar 2025 10:13:25 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 14.2-STABLE
X-Bugzilla-Keywords:
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: franco@opnsense.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution:
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
bug_file_loc op_sys bug_status bug_severity priority component assigned_to
reporter
Message-ID: <bug-285129-227@https.bugs.freebsd.org/bugzilla/>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@FreeBSD.org
MIME-Version: 1.0
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D285129
Bug ID: 285129
Summary: netinet(6)/route: uninitialized access of ifp->if_data
in ip6_tryforward() with PPPoE/ng interface
Product: Base System
Version: 14.2-STABLE
Hardware: Any
URL: https://github.com/opnsense/src/issues/207
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: franco@opnsense.org
Hi,
Looking at a panic in ip6_tryforward() related to PPPoE, for details see the
downstream bug report. Backtrace is:
--- trap 0xc, rip =3D 0xffffffff80ddb5d7, rsp =3D 0xfffffe0038bd6840, rbp =
=3D
0xfffffe0038bd6970 ---
ip6_forward() at ip6_forward+0x2a7/frame 0xfffffe0038bd6970
ip6_input() at ip6_input+0x11f/frame 0xfffffe0038bd6a50
netisr_dispatch_src() at netisr_dispatch_src+0x9e/frame 0xfffffe0038bd6aa0
ether_demux() at ether_demux+0x149/frame 0xfffffe0038bd6ad0
ether_nh_input() at ether_nh_input+0x36a/frame 0xfffffe0038bd6b30
netisr_dispatch_src() at netisr_dispatch_src+0x9e/frame 0xfffffe0038bd6b80
ether_input() at ether_input+0x56/frame 0xfffffe0038bd6bd0
ether_demux() at ether_demux+0x97/frame 0xfffffe0038bd6c00
ether_nh_input() at ether_nh_input+0x36a/frame 0xfffffe0038bd6c60
netisr_dispatch_src() at netisr_dispatch_src+0x9e/frame 0xfffffe0038bd6cb0
ether_input() at ether_input+0x56/frame 0xfffffe0038bd6d00
iflib_rxeof() at iflib_rxeof+0xc0e/frame 0xfffffe0038bd6e00
_task_fn_rx() at _task_fn_rx+0x72/frame 0xfffffe0038bd6e40
gtaskqueue_run_locked() at gtaskqueue_run_locked+0x14e/frame 0xfffffe0038bd=
6ec0
gtaskqueue_thread_loop() at gtaskqueue_thread_loop+0xc2/frame
0xfffffe0038bd6ef0
fork_exit() at fork_exit+0x7f/frame 0xfffffe0038bd6f30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0038bd6f30
--- trap 0x9d9d3e64, rip =3D 0xb414471ee4b2474b, rsp =3D 0x3113c21961b5c24c=
, rbp =3D
0x5647a54d06e1a518 ---
Got a debug core and here is what it says:
(kgdb) frame 17
#17 0xffffffff80e0f6fc in ip6_tryforward (m=3D0xfffff80053520d00) at
/usr/src/sys/netinet6/ip6_fastfwd.c:194
194 mtu =3D IN6_LINKMTU(nifp);
(kgdb) p nifp->if_xname
$1 =3D "pppoe0\000\000\000\000\000\000\000\000\000"
(kgdb) p nifp->if_afdata
$2 =3D {0x0 <repeats 44 times>}
(kgdb) p nifp->if_afdata_initialized
$3 =3D 0
Yes, the code is slightly modified, but it's 100% not self-inflicted. You c=
an
also find a similar panic here:
https://redmine.pfsense.org/issues/15640
To unpack, IN6_LINKMTU() uses if_getifdata() which reaches for if_afdata but
that is not yet initialized (or maybe it's about to be teared down).
I'll put up a review for discussion in a bit. Fixing this one instance seems
trivial but the issue reaching for if_afdata unconditionally seems to be all
over the stack.
Cheers,
Franco
--=20
You are receiving this mail because:
You are the assignee for the bug.=