Date: Wed, 04 Jul 2018 06:05:52 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Matt Macy <mmacy@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r335919 - head/sys/netinet6 Message-ID: <201807041305.w64D5qiK002898@slippy.cwsent.com> In-Reply-To: Message from Matt Macy <mmacy@FreeBSD.org> of "Tue, 03 Jul 2018 23:30:53 -0000." <201807032330.w63NUr6P074115@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Matt, This is causing a panic of my gateway machine. Likely due to router solicitations. Disabling anything IPv6 in rc.conf avoids the panic. cwfw# grep '^# TEMP' /etc/rc.conf # TEMP ifconfig_sk0_ipv6="inet6 fc00:1:1:1::fffe prefixlen 64 -accept_rtadv" # TEMP ifconfig_nfe0_ipv6="inet6 fc00:1:1:2::fffe prefixlen 64 -accept_rtadv" # TEMP rtadvd_enable="YES" # Set to YES to enable an IPv6 router # TEMP rtadvd_interfaces="sk0 nfe0" # Interfaces rtadvd sends RA packets. # TEMP ipv6_gateway_enable="YES" # Set to YES if this host will be a gateway. # TEMP route6d_enable="YES" # Set to YES to enable an IPv6 routing daemon. cwfw# In message <201807032330.w63NUr6P074115@repo.freebsd.org>, Matt Macy writes: > Author: mmacy > Date: Tue Jul 3 23:30:53 2018 > New Revision: 335919 > URL: https://svnweb.freebsd.org/changeset/base/335919 > > Log: > udp6_input: validate inpcb before use > > When traversing pcbinfo lists (rather than calling lookup) we need to > explicitly validate an inpcb before use. > > Modified: > head/sys/netinet6/udp6_usrreq.c > > Modified: head/sys/netinet6/udp6_usrreq.c > ============================================================================= > = > --- head/sys/netinet6/udp6_usrreq.c Tue Jul 3 23:29:18 2018 (r33591 > 8) > +++ head/sys/netinet6/udp6_usrreq.c Tue Jul 3 23:30:53 2018 (r33591 > 9) > @@ -355,6 +355,10 @@ udp6_input(struct mbuf **mp, int *offp, int proto) > int blocked; > > INP_RLOCK(inp); > + if (__predict_false(inp->inp_flags2 & INP_FREED > )) { > + INP_RUNLOCK(inp); > + continue; > + } > > bzero(&mcaddr, sizeof(struct sockaddr_in6)); > mcaddr.sin6_len = sizeof(struct sockaddr_in6); > @@ -382,10 +386,12 @@ udp6_input(struct mbuf **mp, int *offp, int proto) > if ((n = m_copym(m, 0, M_COPYALL, M_NOWAIT)) != > NULL) { > INP_RLOCK(last); > - UDP_PROBE(receive, NULL, last, ip6, > - last, uh); > - if (udp6_append(last, n, off, fromsa)) > - goto inp_lost; > + if (__predict_true(inp->inp_flags2 & IN > P_FREED) == 0) { > + UDP_PROBE(receive, NULL, last, > ip6, > + last, uh); > + if (udp6_append(last, n, off, f > romsa)) > + goto inp_lost; > + } > INP_RUNLOCK(last); > } > } > @@ -414,10 +420,13 @@ udp6_input(struct mbuf **mp, int *offp, int proto) > goto badheadlocked; > } > INP_RLOCK(last); > - INP_INFO_RUNLOCK(pcbinfo); > - UDP_PROBE(receive, NULL, last, ip6, last, uh); > - if (udp6_append(last, m, off, fromsa) == 0) > + if (__predict_true(inp->inp_flags2 & INP_FREED) == 0) { > + UDP_PROBE(receive, NULL, last, ip6, last, uh); > + if (udp6_append(last, m, off, fromsa) == 0) > + INP_RUNLOCK(last); > + } else > INP_RUNLOCK(last); > + INP_INFO_RUNLOCK(pcbinfo); > inp_lost: > return (IPPROTO_DONE); > } Here: Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0x60 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff808312cf stack pointer = 0x28:0xfffffe00004b6700 frame pointer = 0x28:0xfffffe00004b6810 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (irq16: skc0) trap number = 12 panic: page fault cpuid = 1 time = 1530707882 KDB: stack backtrace: #0 0xffffffff80655217 at kdb_backtrace+0x67 #1 0xffffffff8060a803 at vpanic+0x1a3 #2 0xffffffff8060a653 at panic+0x43 #3 0xffffffff8094621f at trap_fatal+0x35f #4 0xffffffff80946279 at trap_pfault+0x49 #5 0xffffffff8094589e at trap+0x29e #6 0xffffffff80926afc at calltrap+0x8 #7 0xffffffff808123e8 at ip6_input+0xdd8 #8 0xffffffff80721756 at netisr_dispatch_src+0xd6 #9 0xffffffff8070e1c3 at ether_demux+0x163 #10 0xffffffff8070f326 at ether_nh_input+0x346 #11 0xffffffff80721756 at netisr_dispatch_src+0xd6 #12 0xffffffff8070e5c4 at ether_input+0x54 #13 0xffffffff813fdb81 at sk_rxeof+0x261 #14 0xffffffff813fd168 at sk_intr+0x118 #15 0xffffffff805ce299 at intr_event_execute_handlers+0xe9 #16 0xffffffff805ce5a7 at ithread_loop+0xe7 #17 0xffffffff805cb553 at fork_exit+0x83 Uptime: 1m35s Dumping 448 out of 4070 MB:..4%..11%..22%..33%..43%..54%..61%..72%..83%. .93% __curthread () at ./machine/pcpu.h:231 231 __asm("movq %%gs:%1,%0" : "=r" (td) (kgdb) bt #0 __curthread () at ./machine/pcpu.h:231 #1 doadump (textdump=<optimized out>) at /opt/src/svn-current/sys/kern/kern_shutdown.c:366 #2 0xffffffff8060a3eb in kern_reboot (howto=260) at /opt/src/svn-current/sys/kern/kern_shutdown.c:446 #3 0xffffffff8060a863 in vpanic (fmt=<optimized out>, ap=0xfffffe00004b6450) at /opt/src/svn-current/sys/kern/kern_shutdown.c:863 #4 0xffffffff8060a653 in panic (fmt=<unavailable>) at /opt/src/svn-current/sys/kern/kern_shutdown.c:790 #5 0xffffffff8094621f in trap_fatal (frame=0xfffffe00004b6640, eva=96) at /opt/src/svn-current/sys/amd64/amd64/trap.c:892 #6 0xffffffff80946279 in trap_pfault (frame=0xfffffe00004b6640, usermode=0) at /opt/src/svn-current/sys/amd64/amd64/trap.c:728 #7 0xffffffff8094589e in trap (frame=0xfffffe00004b6640) at /opt/src/svn-current/sys/amd64/amd64/trap.c:427 #8 <signal handler called> #9 udp6_input (mp=<optimized out>, offp=<optimized out>, proto=<optimized out>) at /opt/src/svn-current/sys/netinet6/udp6_usrreq.c:424 #10 0xffffffff808123e8 in ip6_input (m=0xfffff80005044400) at /opt/src/svn-current/sys/netinet6/ip6_input.c:962 #11 0xffffffff80721756 in netisr_dispatch_src (proto=6, source=<optimized out>, m=0x1) ---Type <return> to continue, or q <return> to quit--- at /opt/src/svn-current/sys/net/netisr.c:1122 #12 0xffffffff8070e1c3 in ether_demux (ifp=0xfffff80003222800, m=0xfffff8000309a580) at /opt/src/svn-current/sys/net/if_ethersubr.c :873 #13 0xffffffff8070f326 in ether_input_internal (ifp=0xfffff80003222800, m=0xfffff8000309a580) at /opt/src/svn-current/sys/net/if_ethersubr.c :661 #14 ether_nh_input (m=<optimized out>) at /opt/src/svn-current/sys/net/if_ethersubr.c:691 #15 0xffffffff80721756 in netisr_dispatch_src (proto=5, source=<optimized out>, m=0x1) at /opt/src/svn-current/sys/net/netisr.c:1122 #16 0xffffffff8070e5c4 in ether_input (ifp=0xfffff80003222800, m=0x0) at /opt/src/svn-current/sys/net/if_ethersubr.c:781 #17 0xffffffff813fdb81 in sk_rxeof (sc_if=<optimized out>) at /opt/src/svn-current/sys/dev/sk/if_sk.c:2792 #18 0xffffffff813fd168 in sk_intr (xsc=0xfffff800031ac600) at /opt/src/svn-current/sys/dev/sk/if_sk.c:3119 #19 0xffffffff805ce299 in intr_event_execute_handlers (p=<optimized out> , ie=0xfffff8000205e500) at /opt/src/svn-current/sys/kern/kern_intr.c: 1013 #20 0xffffffff805ce5a7 in ithread_execute_handlers (ie=<optimized out>, p=<optimized out>) at /opt/src/svn-current/sys/kern/kern_intr.c:1026 #21 ithread_loop (arg=0xfffff80003029f60) at /opt/src/svn-current/sys/kern/kern_intr.c:1106 #22 0xffffffff805cb553 in fork_exit ( ---Type <return> to continue, or q <return> to quit---q callout=0xffffffff805ce4c0 <ithread_loop>, Quit (kgdb) frame 9 #9 udp6_input (mp=<optimized out>, offp=<optimized out>, proto=<optimized out>) at /opt/src/svn-current/sys/netinet6/udp6_usrreq.c:424 424 if (__predict_true(inp->inp_flags2 & INP_FREED) == 0) { (kgdb) l 419 UDPSTAT_INC(udps_noport); 420 UDPSTAT_INC(udps_noportmcast); 421 goto badheadlocked; 422 } 423 INP_RLOCK(last); 424 if (__predict_true(inp->inp_flags2 & INP_FREED) == 0) { 425 UDP_PROBE(receive, NULL, last, ip6, last, uh); 426 if (udp6_append(last, m, off, fromsa) == 0) 427 INP_RUNLOCK(last); 428 } else (kgdb) p last $1 = <optimized out> (kgdb) p inp->inp_flags2 value has been optimized out (kgdb) p inp $2 = <optimized out> (kgdb) -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201807041305.w64D5qiK002898>