svn commit: r354832 - in head: sys/netinet6 tests/sys/netinet6

Bjoern A. Zeeb bz at FreeBSD.org
Mon Nov 18 22:04:18 UTC 2019 

On 18 Nov 2019, at 21:59, Bjoern A. Zeeb wrote:

> Author: bz
> Date: Mon Nov 18 21:59:47 2019
> New Revision: 354832
> URL: https://svnweb.freebsd.org/changeset/base/354832
>
> Log:
>   icmpv6: Fix mbuf change in mld
>
>   After r354748 mld_input() can change the mbuf.  The new pointer
>   is never returned to icmp6_input() and when passed to
>   icmp6_rip6_input() the mbuf may no longer valid leading to
>   a panic.
>   Pass a pointer to the mbuf to mld_input() so we can return an
>   updated version in the non-error case.
>
>   Add a test sending an MLD packet case which will trigger this bug.

The test case currently (after this commit) also triggers an epoch 
assert which is unrelated to these changes.
Just in case anyone wonders in case they still see a panic with the 
changes applied.

The original problem manifested itself like this:

Fatal trap 9: general protection fault while in kernel mode
cpuid = 0; apic id = 02
instruction pointer     = 0x20:0xffffffff80e0a7e3
stack pointer           = 0x28:0xfffffe00acfea5f0
frame pointer           = 0x28:0xfffffe00acfea780
code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (swi1: netisr 0)
trap number             = 9
panic: general protection fault
cpuid = 0
time = 1574113185
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 
0xfffffe00acfea2d0
vpanic() at vpanic+0x17e/frame 0xfffffe00acfea330
panic() at panic+0x43/frame 0xfffffe00acfea390
trap_fatal() at trap_fatal+0x386/frame 0xfffffe00acfea3f0
trap() at trap+0x67/frame 0xfffffe00acfea520
calltrap() at calltrap+0x8/frame 0xfffffe00acfea520
--- trap 0x9, rip = 0xffffffff80e0a7e3, rsp = 0xfffffe00acfea5f0, rbp = 
0xfffffe00acfea780 ---
icmp6_input() at icmp6_input+0xf83/frame 0xfffffe00acfea780
ip6_input() at ip6_input+0xd1e/frame 0xfffffe00acfea860
netisr_dispatch_src() at netisr_dispatch_src+0xb1/frame 
0xfffffe00acfea8e0
ether_demux() at ether_demux+0x16e/frame 0xfffffe00acfea910
ether_nh_input() at ether_nh_input+0x408/frame 0xfffffe00acfea970
netisr_dispatch_src() at netisr_dispatch_src+0xb1/frame 
0xfffffe00acfea9f0
ether_input() at ether_input+0x9d/frame 0xfffffe00acfeaa70
epair_nh_sintr() at epair_nh_sintr+0x17/frame 0xfffffe00acfeaa90
swi_net() at swi_net+0x1c3/frame 0xfffffe00acfeab50
ithread_loop() at ithread_loop+0x1c6/frame 0xfffffe00acfeabb0
fork_exit() at fork_exit+0x80/frame 0xfffffe00acfeabf0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00acfeabf0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
[ thread pid 12 tid 100027 ]
Stopped at      kdb_enter+0x37: movq    $0,0x108a776(%rip)

More information about the svn-src-all mailing list