Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Jan 2011 12:43:47 GMT
From:      Petr Lampa <lampa@fit.vutbr.cz>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/153841: page fault in icmp6_error2() called from nd6_llinfo_timer()
Message-ID:  <201101101243.p0AChlOT010420@red.freebsd.org>
Resent-Message-ID: <201101101250.p0ACo8aV013197@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         153841
>Category:       kern
>Synopsis:       page fault in icmp6_error2() called from nd6_llinfo_timer()
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 10 12:50:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Petr Lampa
>Release:        8.2-PRERELEASE
>Organization:
BUT brno
>Environment:
FreeBSD xxx 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #16: Tue Nov 30 12:44:18 CET 2010     rrrr@xxxx:/usr/src/sys/i386/compile/GUTA  i386

>Description:
page fault
Stopped at icmp6_error2+0xc3:   movl 0x1dc(%eax),%eax

where:
Tracing pid 11 tid 1000006 td 0xc851e000
icmp6_error2(cad86800,1,3,0,c86d4c00,...) at icmp6_error2+0xc3
nd6_llinfo_timer(cc7da400,c851e000,c838bc40,c851e870,c851e000,...) at timer+0x126
softclock(c07bd760,c851e000,0,109,3b7b822b,...) at softclock_0x22a

icmp6_error2+0xa3:      jmp     icmp6_error2+0x136
icmp6_error2+0xa8:      cmpl    $0x27,0xc(%ebx)
icmp6_error2+0xac:      jnbe    icmp6_error2+0xe0
icmp6_error2+0xae:      addl    $0x1,ip6stat+0x8
icmp6_error2+0xb5:      adcl    $0,ip6stat+0xc
icmp6_error2+0xbc:      movl    0x18(%ebx),%eax
icmp6_error2+0xbf:      testl   %eax,%eax
icmp6_error2+0xc1:      jz      icmp6_error2+0xd3
icmp6_error2+0xc3:      movl    0x1dc(%eax),%eax
icmp6_error2+0xc9:      movl    0(%eax),%eax
icmp6_error2+0xcb:      addl    $0x1,0x30(%eax)
icmp6_error2+0xcf:      adcl    $0,0x34(%eax)
icmp6_error2+0xd3:      movl    %ebx,0(%esp)
icmp6_error2+0xd6:      call    m_freem
icmp6_error2+0xdb:      jmp     icmp6_error2+0x136
icmp6_error2+0xdd:      leal    0(%esi),%esi
icmp6_error2+0xe0:      movl    0x8(%ebx),%esi
icmp6_error2+0xe3:      movl    $0,0x8(%esp)
icmp6_error2+0xeb:      movl    %edi,0x4(%esp)
icmp6_error2+0xef:      leal    0x8(%esi),%eax
icmp6_error2+0xf2:      movl    ieax,0(%esp)
icmp6_error2+0xf5:      call    in6_setscope
icmp6_error2+0xfa:      testl   %eax,%eax
icmp6_error2+0xfc:      jnz     icmp6_error2+0x136
(sorry, if there is some garbage here, this is a result of ocr)

So, the location of page fault corresponds to the last branch of
IP6_EXTHDR_CHECK() macro expanded in icmp6_error2:

     if ((m)->m_len < (off) + (hlen)) {                         \
        V_ip6stat.ip6s_tooshort++;                              \
        in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);   \

The content of mbuf (m) is:

0xcad86800:    0            0            cad86896     1e
0xcad86810:    0            1            0            0
0xcad86820:    5a           0            4            6
0xcad86830:    0            0            5e0000       30000

It seems, that pkthdr is not there and so m->m_pkthdr.rcvif is 0 and it's dereferenced without a check.

>How-To-Repeat:
It happened after ping6/traceroute6 (not sure) to unresponding IPv6 address, which after time started responding (probably, I'm not really sure).
>Fix:
check flags for M_PKTHDR in IP6_EXTHDR_CHECK()

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201101101243.p0AChlOT010420>