svn commit: r335919 - head/sys/netinet6
Cy Schubert
Cy.Schubert at cschubert.com
Wed Jul 4 13:06:19 UTC 2018
Hi Matt,
This is causing a panic of my gateway machine. Likely due to router
solicitations.
Disabling anything IPv6 in rc.conf avoids the panic.
cwfw# grep '^# TEMP' /etc/rc.conf
# TEMP ifconfig_sk0_ipv6="inet6 fc00:1:1:1::fffe prefixlen 64
-accept_rtadv"
# TEMP ifconfig_nfe0_ipv6="inet6 fc00:1:1:2::fffe prefixlen 64
-accept_rtadv"
# TEMP rtadvd_enable="YES" # Set to YES to enable an IPv6 router
# TEMP rtadvd_interfaces="sk0 nfe0" # Interfaces rtadvd sends RA
packets.
# TEMP ipv6_gateway_enable="YES" # Set to YES if this host will be a
gateway.
# TEMP route6d_enable="YES" # Set to YES to enable an IPv6 routing
daemon.
cwfw#
In message <201807032330.w63NUr6P074115 at repo.freebsd.org>, Matt Macy
writes:
> Author: mmacy
> Date: Tue Jul 3 23:30:53 2018
> New Revision: 335919
> URL: https://svnweb.freebsd.org/changeset/base/335919
>
> Log:
> udp6_input: validate inpcb before use
>
> When traversing pcbinfo lists (rather than calling lookup) we need to
> explicitly validate an inpcb before use.
>
> Modified:
> head/sys/netinet6/udp6_usrreq.c
>
> Modified: head/sys/netinet6/udp6_usrreq.c
> =============================================================================
> =
> --- head/sys/netinet6/udp6_usrreq.c Tue Jul 3 23:29:18 2018 (r33591
> 8)
> +++ head/sys/netinet6/udp6_usrreq.c Tue Jul 3 23:30:53 2018 (r33591
> 9)
> @@ -355,6 +355,10 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
> int blocked;
>
> INP_RLOCK(inp);
> + if (__predict_false(inp->inp_flags2 & INP_FREED
> )) {
> + INP_RUNLOCK(inp);
> + continue;
> + }
>
> bzero(&mcaddr, sizeof(struct sockaddr_in6));
> mcaddr.sin6_len = sizeof(struct sockaddr_in6);
> @@ -382,10 +386,12 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
> if ((n = m_copym(m, 0, M_COPYALL, M_NOWAIT)) !=
> NULL) {
> INP_RLOCK(last);
> - UDP_PROBE(receive, NULL, last, ip6,
> - last, uh);
> - if (udp6_append(last, n, off, fromsa))
> - goto inp_lost;
> + if (__predict_true(inp->inp_flags2 & IN
> P_FREED) == 0) {
> + UDP_PROBE(receive, NULL, last,
> ip6,
> + last, uh);
> + if (udp6_append(last, n, off, f
> romsa))
> + goto inp_lost;
> + }
> INP_RUNLOCK(last);
> }
> }
> @@ -414,10 +420,13 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
> goto badheadlocked;
> }
> INP_RLOCK(last);
> - INP_INFO_RUNLOCK(pcbinfo);
> - UDP_PROBE(receive, NULL, last, ip6, last, uh);
> - if (udp6_append(last, m, off, fromsa) == 0)
> + if (__predict_true(inp->inp_flags2 & INP_FREED) == 0) {
> + UDP_PROBE(receive, NULL, last, ip6, last, uh);
> + if (udp6_append(last, m, off, fromsa) == 0)
> + INP_RUNLOCK(last);
> + } else
> INP_RUNLOCK(last);
> + INP_INFO_RUNLOCK(pcbinfo);
> inp_lost:
> return (IPPROTO_DONE);
> }
Here:
Unread portion of the kernel message buffer:
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0x60
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff808312cf
stack pointer = 0x28:0xfffffe00004b6700
frame pointer = 0x28:0xfffffe00004b6810
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (irq16: skc0)
trap number = 12
panic: page fault
cpuid = 1
time = 1530707882
KDB: stack backtrace:
#0 0xffffffff80655217 at kdb_backtrace+0x67
#1 0xffffffff8060a803 at vpanic+0x1a3
#2 0xffffffff8060a653 at panic+0x43
#3 0xffffffff8094621f at trap_fatal+0x35f
#4 0xffffffff80946279 at trap_pfault+0x49
#5 0xffffffff8094589e at trap+0x29e
#6 0xffffffff80926afc at calltrap+0x8
#7 0xffffffff808123e8 at ip6_input+0xdd8
#8 0xffffffff80721756 at netisr_dispatch_src+0xd6
#9 0xffffffff8070e1c3 at ether_demux+0x163
#10 0xffffffff8070f326 at ether_nh_input+0x346
#11 0xffffffff80721756 at netisr_dispatch_src+0xd6
#12 0xffffffff8070e5c4 at ether_input+0x54
#13 0xffffffff813fdb81 at sk_rxeof+0x261
#14 0xffffffff813fd168 at sk_intr+0x118
#15 0xffffffff805ce299 at intr_event_execute_handlers+0xe9
#16 0xffffffff805ce5a7 at ithread_loop+0xe7
#17 0xffffffff805cb553 at fork_exit+0x83
Uptime: 1m35s
Dumping 448 out of 4070 MB:..4%..11%..22%..33%..43%..54%..61%..72%..83%.
.93%
__curthread () at ./machine/pcpu.h:231
231 __asm("movq %%gs:%1,%0" : "=r" (td)
(kgdb) bt
#0 __curthread () at ./machine/pcpu.h:231
#1 doadump (textdump=<optimized out>)
at /opt/src/svn-current/sys/kern/kern_shutdown.c:366
#2 0xffffffff8060a3eb in kern_reboot (howto=260)
at /opt/src/svn-current/sys/kern/kern_shutdown.c:446
#3 0xffffffff8060a863 in vpanic (fmt=<optimized out>,
ap=0xfffffe00004b6450)
at /opt/src/svn-current/sys/kern/kern_shutdown.c:863
#4 0xffffffff8060a653 in panic (fmt=<unavailable>)
at /opt/src/svn-current/sys/kern/kern_shutdown.c:790
#5 0xffffffff8094621f in trap_fatal (frame=0xfffffe00004b6640, eva=96)
at /opt/src/svn-current/sys/amd64/amd64/trap.c:892
#6 0xffffffff80946279 in trap_pfault (frame=0xfffffe00004b6640,
usermode=0)
at /opt/src/svn-current/sys/amd64/amd64/trap.c:728
#7 0xffffffff8094589e in trap (frame=0xfffffe00004b6640)
at /opt/src/svn-current/sys/amd64/amd64/trap.c:427
#8 <signal handler called>
#9 udp6_input (mp=<optimized out>, offp=<optimized out>,
proto=<optimized out>)
at /opt/src/svn-current/sys/netinet6/udp6_usrreq.c:424
#10 0xffffffff808123e8 in ip6_input (m=0xfffff80005044400)
at /opt/src/svn-current/sys/netinet6/ip6_input.c:962
#11 0xffffffff80721756 in netisr_dispatch_src (proto=6,
source=<optimized out>, m=0x1)
---Type <return> to continue, or q <return> to quit---
at /opt/src/svn-current/sys/net/netisr.c:1122
#12 0xffffffff8070e1c3 in ether_demux (ifp=0xfffff80003222800,
m=0xfffff8000309a580) at /opt/src/svn-current/sys/net/if_ethersubr.c
:873
#13 0xffffffff8070f326 in ether_input_internal (ifp=0xfffff80003222800,
m=0xfffff8000309a580) at /opt/src/svn-current/sys/net/if_ethersubr.c
:661
#14 ether_nh_input (m=<optimized out>)
at /opt/src/svn-current/sys/net/if_ethersubr.c:691
#15 0xffffffff80721756 in netisr_dispatch_src (proto=5,
source=<optimized out>, m=0x1)
at /opt/src/svn-current/sys/net/netisr.c:1122
#16 0xffffffff8070e5c4 in ether_input (ifp=0xfffff80003222800, m=0x0)
at /opt/src/svn-current/sys/net/if_ethersubr.c:781
#17 0xffffffff813fdb81 in sk_rxeof (sc_if=<optimized out>)
at /opt/src/svn-current/sys/dev/sk/if_sk.c:2792
#18 0xffffffff813fd168 in sk_intr (xsc=0xfffff800031ac600)
at /opt/src/svn-current/sys/dev/sk/if_sk.c:3119
#19 0xffffffff805ce299 in intr_event_execute_handlers (p=<optimized out>
,
ie=0xfffff8000205e500) at /opt/src/svn-current/sys/kern/kern_intr.c:
1013
#20 0xffffffff805ce5a7 in ithread_execute_handlers (ie=<optimized out>,
p=<optimized out>) at /opt/src/svn-current/sys/kern/kern_intr.c:1026
#21 ithread_loop (arg=0xfffff80003029f60)
at /opt/src/svn-current/sys/kern/kern_intr.c:1106
#22 0xffffffff805cb553 in fork_exit (
---Type <return> to continue, or q <return> to quit---q
callout=0xffffffff805ce4c0 <ithread_loop>, Quit
(kgdb) frame 9
#9 udp6_input (mp=<optimized out>, offp=<optimized out>,
proto=<optimized out>)
at /opt/src/svn-current/sys/netinet6/udp6_usrreq.c:424
424 if (__predict_true(inp->inp_flags2 & INP_FREED) == 0) {
(kgdb) l
419 UDPSTAT_INC(udps_noport);
420 UDPSTAT_INC(udps_noportmcast);
421 goto badheadlocked;
422 }
423 INP_RLOCK(last);
424 if (__predict_true(inp->inp_flags2 & INP_FREED) == 0) {
425 UDP_PROBE(receive, NULL, last, ip6, last, uh);
426 if (udp6_append(last, m, off, fromsa) == 0)
427 INP_RUNLOCK(last);
428 } else
(kgdb) p last
$1 = <optimized out>
(kgdb) p inp->inp_flags2
value has been optimized out
(kgdb) p inp
$2 = <optimized out>
(kgdb)
--
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: http://www.FreeBSD.org
The need of the many outweighs the greed of the few.
More information about the svn-src-all
mailing list