From owner-freebsd-net@FreeBSD.ORG Tue Feb 7 05:45:04 2006 Return-Path: X-Original-To: net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CCFF16A431 for ; Tue, 7 Feb 2006 05:45:04 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FAA143D4C for ; Tue, 7 Feb 2006 05:45:03 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 721681A3C20 for ; Mon, 6 Feb 2006 21:45:03 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C121052053; Tue, 7 Feb 2006 00:45:02 -0500 (EST) Date: Tue, 7 Feb 2006 00:45:02 -0500 From: Kris Kennaway To: Kris Kennaway Message-ID: <20060207054502.GA18560@xor.obsecurity.org> References: <20060116004438.GA27901@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU" Content-Disposition: inline In-Reply-To: <20060116004438.GA27901@xor.obsecurity.org> User-Agent: Mutt/1.4.2.1i Cc: net@FreeBSD.org Subject: Re: Changing time causes ipv6 panics X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Feb 2006 05:45:04 -0000 --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 15, 2006 at 07:44:38PM -0500, Kris Kennaway wrote: > I ran ntpdate on an amd64 system with ipv6 enabled and a skewed clock > (ntpdate stepped it back by about an hour), and immediately got a > use-after-free panic in ifaddr. When I rebooted with memguard enabled > on this malloc type and retried, I got this panic upon changing the > date forward, then back, then forward again (also note the garbage > return data from ntpdate): Has anyone looked at this? This is on the TODO list for 6.1, so the sooner it can be resolved the better. Kris > # date 200606011200 > Thu Jun 1 12:00:00 UTC 2006 > # ntpdate ntp.apple.com > 16 Jan 00:40:18 ntpdate[612]: step time server 17.254.0.28 offset -~9000p= m6}9426375508.195959 sec > # date 200606011200 > Thu Jun 1 12:00:00 UTC 2006 >=20 > Fatal trap 12: page fault while in kernel mode > cpuid =3D 0; apic id =3D 00 > fault virtual address =3D 0xffffffff91bd2198 > fault code =3D supervisor write, protection violation > instruction pointer =3D 0x8:0xffffffff80321346 > stack pointer =3D 0x10:0xffffffffbcfa1b60 > frame pointer =3D 0x10:0xffffffffbcfa1b90 > code segment =3D base 0x0, limit 0xfffff, type 0x1b > =3D DPL 0, pres 1, long 1, def32 0, gran 1 > processor eflags =3D interrupt enabled, resume, IOPL =3D 0 > current process =3D 14 (swi4: clock sio) > [thread pid 14 tid 100010 ] > Stopped at nd6_timer+0x106: movl %eax,0x198(%rbx) > db> wh > Tracing pid 14 tid 100010 td 0xffffff03e15d6c30 > nd6_timer() at nd6_timer+0x106 > softclock() at softclock+0x279 > ithread_execute_handlers() at ithread_execute_handlers+0x12f > ithread_loop() at ithread_loop+0x99 > fork_exit() at fork_exit+0xdf > fork_trampoline() at fork_trampoline+0xe > --- trap 0, rip =3D 0, rsp =3D 0xffffffffbcfa1d40, rbp =3D 0 --- >=20 > Unfortunately I can't dump on this system, but: >=20 > (kgdb) list *(nd6_timer+0x106) > 0xffffffff80321346 is in nd6_timer (../../../netinet6/nd6.c:585). > 580 goto addrloop; /* XXX: see below = */ > 581 } > 582 if (IFA6_IS_DEPRECATED(ia6)) { > 583 int oldflags =3D ia6->ia6_flags; > 584 > 585 ia6->ia6_flags |=3D IN6_IFF_DEPRECATED; > 586 > 587 /* > 588 * If a temporary address has just become= deprecated, > 589 * regenerate a new one if possible. >=20 > Kris >=20 >=20 --azLHFNyN32YCQGCU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD6DPeWry0BWjoQKURAv8GAJ9ec5iw0ibNl5iqLtgUBLv0RWhiFwCgh3M+ zoPesXQhYIWn11rhlkEV050= =H1zj -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU--