[Bug 229807] route6d terminate with signal 11

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Jul 16 14:56:04 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229807

            Bug ID: 229807
           Summary: route6d terminate with signal 11
           Product: Base System
           Version: 11.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: misc
          Assignee: bugs at FreeBSD.org
          Reporter: john at sanren.ac.za

Created attachment 195173
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=195173&action=edit
patch that I am using

I have a small ntp server (PC Engines APU), with an ipv6 subnet on lo0 with
route6d to advertise it. A few minutes after almost every reboot, route6d will
crash with a sig 11. If I then restart route6d, it will run until the next time
I reboot. I think it is when re0 finally gets a global ipv6 address.

Currently it is running 11.2, but the problem is not new. It has been there in
10.x and before.

A sanitised piece of rc.conf looks like this:

<snip>
# Disable to make ipv6 work
ifconfig_re0="-rxcsum -txcsum"
ipv4_addrs_re0="X.Y.8.18/24"
ipv4_addrs_lo0="X.Y.58.41/32"
ifconfig_re0_ipv6="inet6 accept_rtadv"
ifconfig_lo0_alias0="inet6 2001:A:B:C::1/64"
defaultrouter="X.Y.8.1"
route6d_enable="YES"
route6d_flags="-s"
ipv6_gateway_enable="YES"
</snip>

Gdb says:

<snip>
root at tick:/ # gdb /usr/sbin/route6d /route6d.old.core
GNU gdb 6.1.1 [FreeBSD]
...
Core was generated by `/usr/sbin/route6d -s'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.7...Reading symbols from
/usr/lib/debug//lib/libc.so.7.debug...done.
done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...Reading symbols from
/usr/lib/debug//libexec/ld-elf.so.1.debug...done.
done.
Loaded symbols for /libexec/ld-elf.so.1
#0  ifrt (ifcp=0x800e38000, again=1) at
/usr/src/usr.sbin/route6d/route6d.c:2206
2206                    TAILQ_REMOVE(&riprt_head, rrt, rrt_next);
(gdb)
</snip>

Looking at the code, I think rrt should not be removed, but rather search_rrt
and it should be freed afterwards? Route6d has now survived a few reboots with
the following patch.

<snip>
--- route6d.c.org       2018-06-22 01:03:51.000000000 +0200
+++ route6d.c   2018-07-08 08:23:53.279925000 +0200
@@ -2203,8 +2203,9 @@
                                        goto next;
                                }

-                               TAILQ_REMOVE(&riprt_head, rrt, rrt_next);
-                               delroute(&rrt->rrt_info, &rrt->rrt_gw);
+                               TAILQ_REMOVE(&riprt_head, search_rrt,
rrt_next);
+                               delroute(&search_rrt->rrt_info,
&search_rrt->rrt_gw);
+                               free(search_rrt);
                        }
                        /* Attach the route to the list */
                        trace(1, "route: %s/%d: register route (%s)\n",
</snip>

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list