svn commit: r326362 - in head: share/man/man4 sys/net

Hartmann, O. o.hartmann at walstatt.org
Wed Nov 29 13:26:29 UTC 2017 

On Wed, 29 Nov 2017 13:16:28 +0100
Hans Petter Selasky <hps at selasky.org> wrote:

> On 11/29/17 13:16, Hartmann, O. wrote:
> > On Wed, 29 Nov 2017 12:49:19 +0100
> > Hans Petter Selasky <hps at selasky.org> wrote:
> >   
> >> On 11/29/17 11:51, Hartmann, O. wrote:  
> >>> On Wed, 29 Nov 2017 09:40:11 +0000 (UTC)
> >>> Hans Petter Selasky <hselasky at FreeBSD.org> wrote:
> >>>      
> >>>> Author: hselasky
> >>>> Date: Wed Nov 29 09:40:11 2017
> >>>> New Revision: 326362
> >>>> URL: https://svnweb.freebsd.org/changeset/base/326362
> >>>>
> >>>> Log:
> >>>>     Disallow TUN and TAP character device IOCTLs to modify the
> >>>> network device type to any value. This can cause page faults and
> >>>> panics due to accessing uninitialized fields in the "struct
> >>>> ifnet" which are specific to the network device type.
> >>>>     
> >>>>     MFC after:	1 week
> >>>>     Found by:	jau at iki.fi
> >>>>     PR:		223767
> >>>>     Sponsored by:	Mellanox Technologies
> >>>>
> >>>> Modified:
> >>>>     head/share/man/man4/tap.4
> >>>>     head/share/man/man4/tun.4
> >>>>     head/sys/net/if_tap.c
> >>>>     head/sys/net/if_tun.c
> >>>>
> >>>> Modified: head/share/man/man4/tap.4
> >>>> ==============================================================================
> >>>> --- head/share/man/man4/tap.4	Wed Nov 29 09:18:24 2017
> >>>> (r326361) +++ head/share/man/man4/tap.4	Wed Nov 29
> >>>> 09:40:11 2017	(r326362) @@ -1,7 +1,7 @@
> >>>>    .\" $FreeBSD$
> >>>>    .\" Based on PR#2411
> >>>>    .\"
> >>>> -.Dd April 10, 2015
> >>>> +.Dd November 29, 2017
> >>>>    .Dt TAP 4
> >>>>    .Os
> >>>>    .Sh NAME
> >>>> @@ -171,7 +171,14 @@ calls are supported
> >>>>    .In net/if_tap.h ) :
> >>>>    .Bl -tag -width VMIO_SIOCSETMACADDR
> >>>>    .It Dv TAPSIFINFO
> >>>> -Set network interface information (line speed, MTU and type).
> >>>> +Set network interface information (line speed and MTU).
> >>>> +The type must be the same as returned by
> >>>> +.Dv TAPGIFINFO
> >>>> +or set to
> >>>> +.Dv IFT_ETHER
> >>>> +else the
> >>>> +.Xr ioctl 2
> >>>> +call will fail.
> >>>>    The argument should be a pointer to a
> >>>>    .Va struct tapinfo .
> >>>>    .It Dv TAPGIFINFO
> >>>>
> >>>> Modified: head/share/man/man4/tun.4
> >>>> ==============================================================================
> >>>> --- head/share/man/man4/tun.4	Wed Nov 29 09:18:24 2017
> >>>> (r326361) +++ head/share/man/man4/tun.4	Wed Nov 29
> >>>> 09:40:11 2017	(r326362) @@ -2,7 +2,7 @@
> >>>>    .\" $FreeBSD$
> >>>>    .\" Based on PR#2411
> >>>>    .\"
> >>>> -.Dd November 30, 2014
> >>>> +.Dd November 29, 2017
> >>>>    .Dt TUN 4
> >>>>    .Os
> >>>>    .Sh NAME
> >>>> @@ -208,8 +208,15 @@ this stores the internal debugging
> >>>> variable's value in .It Dv TUNSIFINFO
> >>>>    The argument should be a pointer to an
> >>>>    .Vt struct tuninfo
> >>>> -and allows setting the MTU, the type, and the baudrate of the
> >>>> tunnel +and allows setting the MTU and the baudrate of the tunnel
> >>>>    device.
> >>>> +The type must be the same as returned by
> >>>> +.Dv TUNGIFINFO
> >>>> +or set to
> >>>> +.Dv IFT_PPP
> >>>> +else the
> >>>> +.Xr ioctl 2
> >>>> +call will fail.
> >>>>    The
> >>>>    .Vt struct tuninfo
> >>>>    is declared in
> >>>>
> >>>> Modified: head/sys/net/if_tap.c
> >>>> ==============================================================================
> >>>> --- head/sys/net/if_tap.c	Wed Nov 29 09:18:24 2017
> >>>> (r326361) +++ head/sys/net/if_tap.c	Wed Nov 29 09:40:11
> >>>> 2017	(r326362) @@ -737,9 +737,10 @@ tapioctl(struct cdev
> >>>> *dev, u_long cmd, caddr_t data, i switch (cmd) {
> >>>>    		case TAPSIFINFO:
> >>>>    			tapp = (struct tapinfo *)data;
> >>>> +			if (ifp->if_type != tapp->type)
> >>>> +				return (EPROTOTYPE);
> >>>>    			mtx_lock(&tp->tap_mtx);
> >>>>    			ifp->if_mtu = tapp->mtu;
> >>>> -			ifp->if_type = tapp->type;
> >>>>    			ifp->if_baudrate = tapp->baudrate;
> >>>>    			mtx_unlock(&tp->tap_mtx);
> >>>>    			break;
> >>>>
> >>>> Modified: head/sys/net/if_tun.c
> >>>> ==============================================================================
> >>>> --- head/sys/net/if_tun.c	Wed Nov 29 09:18:24 2017
> >>>> (r326361) +++ head/sys/net/if_tun.c	Wed Nov 29 09:40:11
> >>>> 2017	(r326362) @@ -676,9 +676,10 @@ tunioctl(struct cdev
> >>>> *dev, u_long cmd, caddr_t data, i if (error)
> >>>>    				return (error);
> >>>>    		}
> >>>> +		if (TUN2IFP(tp)->if_type != tunp->type)
> >>>> +			return (EPROTOTYPE);
> >>>>    		mtx_lock(&tp->tun_mtx);
> >>>>    		TUN2IFP(tp)->if_mtu = tunp->mtu;
> >>>> -		TUN2IFP(tp)->if_type = tunp->type;
> >>>>    		TUN2IFP(tp)->if_baudrate = tunp->baudrate;
> >>>>    		mtx_unlock(&tp->tun_mtx);
> >>>>    		break;
> >>>> _______________________________________________
> >>>> svn-src-head at freebsd.org mailing list
> >>>> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> >>>> To unsubscribe, send any mail to
> >>>> "svn-src-head-unsubscribe at freebsd.org"  
> >>>
> >>> after updating from r325893 to r326362, FreeBSD CURRENT crashes
> >>> while booting the kernel. I'm sorry having no further
> >>> informations, it happens on a laptop with reduced space.
> >>>
> >>> At the moment, it seems that a lot of boxes running most recent
> >>> CURRENT tend to crash spontanously.
> >>>      
> >>
> >> Hi,
> >>
> >> And you built the kernel from scratch and made sure your source
> >> tree does not contain any .o files nor /usr/obj/* .
> >>
> >> --HPS  
> > 
> > Last time I did the make cleandir was when the OFED driver problem
> > occured, that was some days ago. Useually, I build world and kernel
> > with WITH_META_MODE set.
> >   
> 
> Hi,
> 
> Try to do a clean build w/o META mode.
> 
> rm -rf /usr/obj/*
> 
> And check:
> 
> find /usr/src -name "*.o"
> 
> --HPS
> 

The last remaining system I had finished building a clean world. The
box is now wrecked, too. As the others.
After booting the box in single user mode, performing an installkernel
and rebooting the r326363 kernel in single user mode and performing
installworld, the box quit service via crashing with an obscure message
like 

"spinlock held too long"

and died. Now this last remaining server of mine is also out of service
- with the very same message two others died yesterday and this morning.

The boxes boot and then I get immediately a dump of CPU registeres from
BTX and systems quit service with "BTX halted".

In one case I tried to "repair" by copy manually binaries
to /sbin, /libexec, /lib and /bin via pax -rw -pe to get rid of the
problem, but this also ended in a catastrophy - the kernel, whichever,
new one or the old, do not boot anymore, they get stuck at a certain
point (probably when they load binary images like init, but I have no
clue when this happens in the vein of processes).

Thank you very much in advance for some tips.

oh

More information about the svn-src-all mailing list