kern/189089: Panic when removing an IP address from an interface, if the same address exists on another interface

Alan Somers asomers at freebsd.org
Mon Apr 28 22:50:00 UTC 2014 

>Number:         189089
>Category:       kern
>Synopsis:       Panic when removing an IP address from an interface, if the same address exists on another interface
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 28 22:50:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Alan Somers
>Release:        11.0 CURRENT
>Organization:
Spectra Logic
>Environment:
FreeBSD b 11.0-CURRENT FreeBSD 11.0-CURRENT #9 r264904M: Fri Apr 25 14:46:45 PDT 2014     neel at b:/usr/obj/neel/usr/freebsd/head2/sys/GENERIC  amd64
>Description:
If you assign the same IP address to multiple interfaces simultaneously, then remove it from one of them, the system will panic with this message:

panic: rtalloc1_fib: bad fibnum

The panic was introduced by revision 264887, which changed the fibnum parameter in the call to rtalloc1_fib() in ifa_switch_loopback_route() from RT_DEFAULT_FIB to RT_ALL_FIBS.  Prior to 264887 the call would always succeed, but it could corrupt the network stack if the route in question was not located in the default fib.  That wasn't a big deal though, since prior to 264887 it was very difficult create that route in a nondefault fib.


>How-To-Repeat:
# # Set net.fibs=1 and net.add_addr_allfibs=1
# ifconfig tap0 create
# ifconfig tap1 create
# ifconfig tap0 192.0.0.2/24 up
# ifconfig tap1 192.0.0.2/32 up
# netstat -rn -f inet
Routing tables

Internet:
Destination        Gateway            Flags    Netif Expire
default            10.1.0.1           UGS       em0
10.1.0.0/20        link#1             U         em0
10.1.3.220         link#1             UHS       lo0
127.0.0.1          link#2             UH        lo0
192.0.0.0/24       link#3             U        tap0
192.0.0.2          link#3             UHS       lo0
192.0.0.2/32       link#4             U        tap1
# ifconfig tap1 -alias 192.0.0.2 # This line will panic!

>Fix:
The solution is to use the interface fib instead of either the default fib or ALL_FIBS.  This will give equivalent behavior as the pre-264887 status quo for the majority of users.

Patch attached with submission follows:

Index: sys/netinet/in.c
===================================================================
--- sys/netinet/in.c	(revision 265061)
+++ sys/netinet/in.c	(working copy)
@@ -696,11 +696,9 @@
 {
 	struct in_ifaddr *ia;
 	struct in_addr prefix, mask, p, m;
-	int error = 0, fibnum;
+	int error = 0;
 	struct sockaddr_in prefix0, mask0;
 
-	fibnum = rt_add_addr_allfibs ? RT_ALL_FIBS : target->ia_ifp->if_fib;
-
 	/*
 	 * Remove the loopback route to the interface address.
 	 */
@@ -712,6 +710,8 @@
 		eia = in_localip_more(target);
 
 		if (eia != NULL) {
+			int fibnum = target->ia_ifp->if_fib;
+
 			error = ifa_switch_loopback_route((struct ifaddr *)eia,
 			    (struct sockaddr *)&target->ia_addr, fibnum);
 			ifa_free(&eia->ia_ifa);
@@ -736,6 +736,10 @@
 	}
 
 	if ((target->ia_flags & IFA_ROUTE) == 0) {
+		int fibnum;
+		
+		fibnum = rt_add_addr_allfibs ? RT_ALL_FIBS :
+			target->ia_ifp->if_fib;
 		rt_addrmsg(RTM_DELETE, &target->ia_ifa, fibnum);
 		return (0);
 	}
Index: tests/sys/netinet/fibs_test.sh
===================================================================
--- tests/sys/netinet/fibs_test.sh	(revision 265061)
+++ tests/sys/netinet/fibs_test.sh	(working copy)
@@ -213,6 +213,45 @@
 }
 
 
+# Regression test for a panic introduced in change 264887
+# Create two tap interfaces and assign them both the same IP address but with
+# different netmasks, and both on the default FIB.  Then remove one's IP
+# address.  Hopefully the machine won't panic.
+atf_test_case same_ip_multiple_ifaces_fib0 cleanup
+same_ip_multiple_ifaces_fib0_head()
+{
+	atf_set "descr" "Can remove an IP alias from an interface when the same IP is also assigned to another interface."
+	atf_set "require.user" "root"
+	atf_set "require.config" "fibs"
+}
+same_ip_multiple_ifaces_fib0_body()
+{
+	ADDR="192.0.2.2"
+	MASK0="24"
+	MASK1="32"
+
+	# Unlike most of the tests in this file, this is applicable regardless
+	# of net.add_addr_allfibs
+
+	# Setup the interfaces, then remove one alias.  It should not panic.
+	setup_tap 0 ${ADDR} ${MASK0}
+	TAP0=${TAP}
+	setup_tap 0 ${ADDR} ${MASK1}
+	TAP1=${TAP}
+	ifconfig ${TAP1} -alias ${ADDR}
+
+	# Do it again, in the opposite order.  It should not panic.
+	setup_tap 0 ${ADDR} ${MASK0}
+	TAP0=${TAP}
+	setup_tap 0 ${ADDR} ${MASK1}
+	TAP1=${TAP}
+	ifconfig ${TAP0} -alias ${ADDR}
+}
+same_ip_multiple_ifaces_fib0_cleanup()
+{
+	cleanup_tap
+}
+
 # Regression test for kern/187550
 atf_test_case subnet_route_with_multiple_fibs_on_same_subnet cleanup
 subnet_route_with_multiple_fibs_on_same_subnet_head()
@@ -309,6 +348,7 @@
 	atf_add_test_case arpresolve_checks_interface_fib
 	atf_add_test_case loopback_and_network_routes_on_nondefault_fib
 	atf_add_test_case default_route_with_multiple_fibs_on_same_subnet
+	atf_add_test_case same_ip_multiple_ifaces_fib0
 	atf_add_test_case subnet_route_with_multiple_fibs_on_same_subnet
 	atf_add_test_case udp_dontroute
 }


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list