Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 8 Jul 2018 09:46:11 +0200
From:      John Hay <jhay@meraka.org.za>
To:        freebsd-net@freebsd.org
Subject:   Bug in route6d?
Message-ID:  <CAGv8uaogUNfb-BkgG6PXN_wgavX=HPGDg8xf7wLgHWZ_NLEfOw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
--0000000000003f3c6405707817cc
Content-Type: text/plain; charset="UTF-8"

Hi All,

I have a small ntp server (PC Engines APU), with an ipv6 subnet on lo0 with
route6d to advertise it. A few minutes after almost every reboot, route6d
will crash with a sig 11. If I then restart route6d, it will run until the
next time I reboot. I think it is when re0 finally gets a global ipv6
address.

Currently it is running 11.2, but the problem is not new. It has been there
in 10.x and before.

A sanitised piece of rc.conf looks like this:
<snip>
# Disable to make ipv6 work
ifconfig_re0="-rxcsum -txcsum"
ipv4_addrs_re0="X.Y.8.18/24"
ipv4_addrs_lo0="X.Y.58.41/32"
ifconfig_re0_ipv6="inet6 accept_rtadv"
ifconfig_lo0_alias0="inet6 2001:A:B:C::1/64"
defaultrouter="X.Y.8.1"
route6d_enable="YES"
route6d_flags="-s"
ipv6_gateway_enable="YES"
</snip>

Gdb says:

<snip>
root@tick:/ # gdb /usr/sbin/route6d /route6d.old.core
GNU gdb 6.1.1 [FreeBSD]
...
Core was generated by `/usr/sbin/route6d -s'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.7...Reading symbols from
/usr/lib/debug//lib/libc.so.7.debug...done.
done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...Reading symbols from
/usr/lib/debug//libexec/ld-elf.so.1.debug...done.
done.
Loaded symbols for /libexec/ld-elf.so.1
#0  ifrt (ifcp=0x800e38000, again=1) at
/usr/src/usr.sbin/route6d/route6d.c:2206
2206                    TAILQ_REMOVE(&riprt_head, rrt, rrt_next);
(gdb)
</snip>

Looking at the code, I think rrt should not be removed, but rather
search_rrt and it should be freed afterwards? Route6d has now survived a
few reboots with the following patch.

<snip>
--- route6d.c.org       2018-06-22 01:03:51.000000000 +0200
+++ route6d.c   2018-07-08 08:23:53.279925000 +0200
@@ -2203,8 +2203,9 @@
                                        goto next;
                                }

-                               TAILQ_REMOVE(&riprt_head, rrt, rrt_next);
-                               delroute(&rrt->rrt_info, &rrt->rrt_gw);
+                               TAILQ_REMOVE(&riprt_head, search_rrt,
rrt_next);
+                               delroute(&search_rrt->rrt_info,
&search_rrt->rrt_gw);
+                               free(search_rrt);
                        }
                        /* Attach the route to the list */
                        trace(1, "route: %s/%d: register route (%s)\n",
</snip>

Regards

John
--
John Hay

--0000000000003f3c6405707817cc
Content-Type: text/x-patch; charset="US-ASCII"; name="route6d.c.diff"
Content-Disposition: attachment; filename="route6d.c.diff"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_jjcis8rl0

LS0tIHJvdXRlNmQuYy5vcmcJMjAxOC0wNi0yMiAwMTowMzo1MS4wMDAwMDAwMDAgKzAyMDAKKysr
IHJvdXRlNmQuYwkyMDE4LTA3LTA4IDA4OjIzOjUzLjI3OTkyNTAwMCArMDIwMApAQCAtMjIwMyw4
ICsyMjAzLDkgQEAKIAkJCQkJZ290byBuZXh0OwogCQkJCX0KIAotCQkJCVRBSUxRX1JFTU9WRSgm
cmlwcnRfaGVhZCwgcnJ0LCBycnRfbmV4dCk7Ci0JCQkJZGVscm91dGUoJnJydC0+cnJ0X2luZm8s
ICZycnQtPnJydF9ndyk7CisJCQkJVEFJTFFfUkVNT1ZFKCZyaXBydF9oZWFkLCBzZWFyY2hfcnJ0
LCBycnRfbmV4dCk7CisJCQkJZGVscm91dGUoJnNlYXJjaF9ycnQtPnJydF9pbmZvLCAmc2VhcmNo
X3JydC0+cnJ0X2d3KTsKKwkJCQlmcmVlKHNlYXJjaF9ycnQpOwogCQkJfQogCQkJLyogQXR0YWNo
IHRoZSByb3V0ZSB0byB0aGUgbGlzdCAqLwogCQkJdHJhY2UoMSwgInJvdXRlOiAlcy8lZDogcmVn
aXN0ZXIgcm91dGUgKCVzKVxuIiwK
--0000000000003f3c6405707817cc--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGv8uaogUNfb-BkgG6PXN_wgavX=HPGDg8xf7wLgHWZ_NLEfOw>