Date: Thu, 21 Sep 2023 21:52:26 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 274009] in_pcblookup_hash_locked: invalid local address panic on sendto(2) to ipv4-mapped Message-ID: <bug-274009-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274009 Bug ID: 274009 Summary: in_pcblookup_hash_locked: invalid local address panic on sendto(2) to ipv4-mapped Product: Base System Version: 14.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: freebsd@dev.thsi.be Hello, The following panic occurs on an INVARIANTS kernel, a reproducer is attached at the end of this message. The problem started to happen quite some months ago on 14-CURRENT while using the net-p2p/rtorrent application. I believe the reproducer to be similar to what rtorrent does when it connects to an udp tracker, .e.g. by using this magnet link: magnet:?xt=3Durn:btih:a9164e99d5181cfef0c23c209334103619080908&dn=3Ddebian-= 12.1.0-amd64-netinst.iso&tr=3Dudp%3A%2F%2Fbttracker.debian.org%3A6969%2Fann= ounce >From my very incomplete understanding, the in_pcb_lport_dest function isn't propery setting the laddr in case of ipv4-mapped ipv6 sendto address due to the following check on line 758 of sys/netinet/in_pcb.c: laddr.s_addr =3D INADDR_ANY; /* used by INET6+INET below too */ if ((inp->inp_vflag & (INP_IPV4|INP_IPV6)) =3D=3D INP_IPV4) { if (lsa !=3D NULL) laddr =3D ((struct sockaddr_in *)lsa)->sin_addr; In this case, the inp_vlags is equals to INP_IPV4|INP_IPV6|INP_IPV6PROTO (see below), however the ipv4 code is later followed on, hence the assertion in laddr.s_addr !=3D INADDR_ANY in_pcblookup_hash_locked fails. Please let me know if any more information is needed. (kgdb) bt #0 kdb_enter (why=3D<optimized out>, msg=3D<optimized out>) at /usr/home/benja/src/freebsd/src/sys/kern/subr_kdb.c:556 #1 0xffffffff80b4f6c3 in vpanic (fmt=3D0xffffffff811c9e45 "%s: invalid loc= al address", ap=3Dap@entry=3D0xfffffe00695f9790) at /usr/home/benja/src/freebsd/src/sys/kern/kern_shutdown.c:958 #2 0xffffffff80b4f4a3 in panic (fmt=3D0xffffffff8196c800 <cnputs_mtx> "G\246\024\201\377\377\377\377") at /usr/home/benja/src/freebsd/src/sys/kern/kern_shutdown.c:894 #3 0xffffffff80d22c16 in in_pcblookup_hash_locked (pcbinfo=3Dpcbinfo@entry=3D0xfffffe000a362dd0, faddr=3D..., fport_arg=3D216= 6026500, fport_arg@entry=3D256, laddr=3D..., lport_arg=3Dlport_arg@entry=3D22652, lookupflags=3D16, numa_domain=3D25= 5 '\377') at /usr/home/benja/src/freebsd/src/sys/netinet/in_pcb.c:2350 #4 0xffffffff80d228d6 in in_pcb_lport_dest (inp=3Dinp@entry=3D0xfffff80007= 7ffc40, lsa=3Dlsa@entry=3D0xfffffe00695f9920, lportp=3Dlportp@entry=3D0xfffffe00695= f98fe, fsa=3Dfsa@entry=3D0xfffffe00695f9910, fport=3Dfport@entry=3D256, cred=3D0xfffff800074b3400, lookupflags=3D1) at /usr/home/benja/src/freebsd/src/sys/netinet/in_pcb.c:794 #5 0xffffffff80d2339b in in_pcbconnect_setup (inp=3Dinp@entry=3D0xfffff800077ffc40, sin=3Dsin@entry=3D0xfffffe00695f9b78, laddrp=3Dladdrp@entry=3D0xfffffe00695f9a00, lportp=3Dlportp@entry=3D0xfffffe00695f9a1c, faddrp=3Dfaddrp@entry=3D0xfffffe00695f9998, fportp=3Dfportp@entry=3D0xfffff= e00695f9a0e, cred=3D0xfffff800074b3400) at /usr/home/benja/src/freebsd/src/sys/netinet/in_pcb.c:1376 #6 0xffffffff80d63392 in udp_send (so=3Dso@entry=3D0xfffff800076813c0, flags=3Dflags@entry=3D16, m=3Dm@entry=3D0xfffff80007bfd900, addr=3Daddr@entry=3D0xfffffe00695f9b78, control=3D<optimized out>, control@entry=3D0x0, td=3Dtd@entry=3D0xfffff= e0072393740) at /usr/home/benja/src/freebsd/src/sys/netinet/udp_usrreq.c:1253 #7 0xffffffff80d9fba2 in udp6_send (so=3D0xfffff800076813c0, flags_arg=3D0, m=3D0xfffff80007bfd900, addr6=3D<optimized out>, control=3D0x0, td=3D0xfffffe0072393740) at /usr/home/benja/src/freebsd/src/sys/netinet6/udp6_usrreq.c:757 #8 0xffffffff80c00221 in sosend_dgram (so=3D0xfffff800076813c0, addr=3D0xfffff8000377bd80, uio=3D<optimized out>, top=3D<optimized out>, co= ntrol=3D0x0, flags=3D0, td=3D0xfffffe0072393740) at /usr/home/benja/src/freebsd/src/sys/kern/uipc_socket.c:1553 #9 0xffffffff80c00e19 in sousrsend (so=3D0xffffffff8196c800 <cnputs_mtx>, so@entry=3D0xfffff800076813c0, addr=3D0x80, uio=3D0xffffffff811af104, uio@entry=3D0xfffffe00695f9ce8, control=3D0x10, control@entry=3D0x0, flags=3Dflags@entry=3D0, userproc=3Duserproc@entry=3D0x0) at /usr/home/benja/src/freebsd/src/sys/kern/uipc_socket.c:1892 #10 0xffffffff80c076e0 in kern_sendit (td=3Dtd@entry=3D0xfffffe0072393740, = s=3D3, mp=3Dmp@entry=3D0xfffffe00695f9dc0, flags=3D0, control=3D0x0, segflg=3Dsegflg@entry=3DUIO_USERSPACE) at /usr/home/benja/src/freebsd/src/sys/kern/uipc_syscalls.c:789 #11 0xffffffff80c078e7 in sendit (td=3D0xfffffe0072393740, s=3D128, mp=3Dmp@entry=3D0xfffffe00695f9dc0, flags=3D-2128530671) at /usr/home/benja/src/freebsd/src/sys/kern/uipc_syscalls.c:714 #12 0xffffffff80c0781d in sys_sendto (td=3D0xffffffff8196c800 <cnputs_mtx>, uap=3D<optimized out>) at /usr/home/benja/src/freebsd/src/sys/kern/uipc_syscalls.c:820 #13 0xffffffff8104e67f in syscallenter (td=3D0xfffffe0072393740) at /usr/home/benja/src/freebsd/src/sys/amd64/amd64/../../kern/subr_syscall.c:1= 87 #14 amd64_syscall (td=3D0xfffffe0072393740, traced=3D0) at /usr/home/benja/src/freebsd/src/sys/amd64/amd64/trap.c:1194 #15 <signal handler called> #16 0x000000082302e98a in ?? () #17 0x000000000020183f in ?? () #18 0x0000185a00000001 in ?? () #19 0x0000000001001c00 in ?? () #20 0x0000000000000000 in ?? () (kgdb) frame 4 #4 0xffffffff80d228d6 in in_pcb_lport_dest (inp=3Dinp@entry=3D0xfffff80007= 7ffc40, lsa=3Dlsa@entry=3D0xfffffe00695f9920, lportp=3Dlportp@entry=3D0xfffffe00695= f98fe, fsa=3Dfsa@entry=3D0xfffffe00695f9910, fport=3Dfport@entry=3D256, cred=3D0xfffff800074b3400, lookupflags=3D1) at /usr/home/benja/src/freebsd/src/sys/netinet/in_pcb.c:794 794 tmpinp =3D in_pcblookup_hash_locked(pcbinfo, (kgdb) p/x inp->inp_vflag $1 =3D 0x7 (kgdb) p/x ((struct sockaddr_in *)lsa)->sin_addr $3 =3D {s_addr =3D 0x100007f} The reproducer: #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> int main() { int optval=3D0; int sock; struct sockaddr_in6 sa6 =3D { 0 }; sa6.sin6_family =3D AF_INET6; sa6.sin6_port =3D htons(1); inet_pton(AF_INET6, "::ffff:127.0.0.1", &(sa6.sin6_addr)); sock =3D socket (PF_INET6, SOCK_DGRAM, 0); setsockopt (sock, IPPROTO_IPV6, IPV6_V6ONLY, &optval, sizeof(optval= )); sendto (sock, "abcd", 4, 0, (struct sockaddr *)&sa6, sizeof(sa6)); return 0; } --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-274009-227>