svn commit: r335919 - head/sys/netinet6

Wed Jul 4 13:06:19 UTC 2018

Hi Matt,

This is causing a panic of my gateway machine. Likely due to router 
solicitations.

Disabling anything IPv6 in rc.conf avoids the panic.

cwfw# grep '^# TEMP' /etc/rc.conf
# TEMP ifconfig_sk0_ipv6="inet6 fc00:1:1:1::fffe prefixlen 64 
-accept_rtadv"
# TEMP ifconfig_nfe0_ipv6="inet6 fc00:1:1:2::fffe prefixlen 64 
-accept_rtadv"
# TEMP rtadvd_enable="YES"		# Set to YES to enable an IPv6 router
# TEMP rtadvd_interfaces="sk0 nfe0"		# Interfaces rtadvd sends RA 
packets.
# TEMP ipv6_gateway_enable="YES"	# Set to YES if this host will be a 
gateway.
# TEMP route6d_enable="YES"		# Set to YES to enable an IPv6 routing 
daemon.
cwfw# 

In message <201807032330.w63NUr6P074115 at repo.freebsd.org>, Matt Macy 
writes:
> Author: mmacy
> Date: Tue Jul  3 23:30:53 2018
> New Revision: 335919
> URL: https://svnweb.freebsd.org/changeset/base/335919
>
> Log:
>   udp6_input: validate inpcb before use
>   
>   When traversing pcbinfo lists (rather than calling lookup) we need to
>   explicitly validate an inpcb before use.
>
> Modified:
>   head/sys/netinet6/udp6_usrreq.c
>
> Modified: head/sys/netinet6/udp6_usrreq.c
> =============================================================================
> =
> --- head/sys/netinet6/udp6_usrreq.c	Tue Jul  3 23:29:18 2018	(r33591
> 8)
> +++ head/sys/netinet6/udp6_usrreq.c	Tue Jul  3 23:30:53 2018	(r33591
> 9)
> @@ -355,6 +355,10 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
>  				int			 blocked;
>  
>  				INP_RLOCK(inp);
> +				if (__predict_false(inp->inp_flags2 & INP_FREED
> )) {
> +					INP_RUNLOCK(inp);
> +					continue;
> +				}
>  
>  				bzero(&mcaddr, sizeof(struct sockaddr_in6));
>  				mcaddr.sin6_len = sizeof(struct sockaddr_in6);
> @@ -382,10 +386,12 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
>  				if ((n = m_copym(m, 0, M_COPYALL, M_NOWAIT)) !=
>  				    NULL) {
>  					INP_RLOCK(last);
> -					UDP_PROBE(receive, NULL, last, ip6,
> -					    last, uh);
> -					if (udp6_append(last, n, off, fromsa))
> -						goto inp_lost;
> +					if (__predict_true(inp->inp_flags2 & IN
> P_FREED) == 0) {
> +						UDP_PROBE(receive, NULL, last, 
> ip6,
> +					        last, uh);
> +						if (udp6_append(last, n, off, f
> romsa))
> +							goto inp_lost;
> +					}
>  					INP_RUNLOCK(last);
>  				}
>  			}
> @@ -414,10 +420,13 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
>  			goto badheadlocked;
>  		}
>  		INP_RLOCK(last);
> -		INP_INFO_RUNLOCK(pcbinfo);
> -		UDP_PROBE(receive, NULL, last, ip6, last, uh);
> -		if (udp6_append(last, m, off, fromsa) == 0) 
> +		if (__predict_true(inp->inp_flags2 & INP_FREED) == 0) {
> +			UDP_PROBE(receive, NULL, last, ip6, last, uh);
> +			if (udp6_append(last, m, off, fromsa) == 0)
> +				INP_RUNLOCK(last);
> +		} else
>  			INP_RUNLOCK(last);
> +		INP_INFO_RUNLOCK(pcbinfo);
>  	inp_lost:
>  		return (IPPROTO_DONE);
>  	}

Here:

Unread portion of the kernel message buffer:

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address	= 0x60
fault code		= supervisor read data, page not present
instruction pointer	= 0x20:0xffffffff808312cf
stack pointer	        = 0x28:0xfffffe00004b6700
frame pointer	        = 0x28:0xfffffe00004b6810
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 12 (irq16: skc0)
trap number		= 12
panic: page fault
cpuid = 1
time = 1530707882
KDB: stack backtrace:
#0 0xffffffff80655217 at kdb_backtrace+0x67
#1 0xffffffff8060a803 at vpanic+0x1a3
#2 0xffffffff8060a653 at panic+0x43
#3 0xffffffff8094621f at trap_fatal+0x35f
#4 0xffffffff80946279 at trap_pfault+0x49
#5 0xffffffff8094589e at trap+0x29e
#6 0xffffffff80926afc at calltrap+0x8
#7 0xffffffff808123e8 at ip6_input+0xdd8
#8 0xffffffff80721756 at netisr_dispatch_src+0xd6
#9 0xffffffff8070e1c3 at ether_demux+0x163
#10 0xffffffff8070f326 at ether_nh_input+0x346
#11 0xffffffff80721756 at netisr_dispatch_src+0xd6
#12 0xffffffff8070e5c4 at ether_input+0x54
#13 0xffffffff813fdb81 at sk_rxeof+0x261
#14 0xffffffff813fd168 at sk_intr+0x118
#15 0xffffffff805ce299 at intr_event_execute_handlers+0xe9
#16 0xffffffff805ce5a7 at ithread_loop+0xe7
#17 0xffffffff805cb553 at fork_exit+0x83
Uptime: 1m35s
Dumping 448 out of 4070 MB:..4%..11%..22%..33%..43%..54%..61%..72%..83%.
.93%

__curthread () at ./machine/pcpu.h:231
231		__asm("movq %%gs:%1,%0" : "=r" (td)
(kgdb) bt
#0  __curthread () at ./machine/pcpu.h:231
#1  doadump (textdump=<optimized out>)
    at /opt/src/svn-current/sys/kern/kern_shutdown.c:366
#2  0xffffffff8060a3eb in kern_reboot (howto=260)
    at /opt/src/svn-current/sys/kern/kern_shutdown.c:446
#3  0xffffffff8060a863 in vpanic (fmt=<optimized out>, 
ap=0xfffffe00004b6450)
    at /opt/src/svn-current/sys/kern/kern_shutdown.c:863
#4  0xffffffff8060a653 in panic (fmt=<unavailable>)
    at /opt/src/svn-current/sys/kern/kern_shutdown.c:790
#5  0xffffffff8094621f in trap_fatal (frame=0xfffffe00004b6640, eva=96)
    at /opt/src/svn-current/sys/amd64/amd64/trap.c:892
#6  0xffffffff80946279 in trap_pfault (frame=0xfffffe00004b6640, 
usermode=0)
    at /opt/src/svn-current/sys/amd64/amd64/trap.c:728
#7  0xffffffff8094589e in trap (frame=0xfffffe00004b6640)
    at /opt/src/svn-current/sys/amd64/amd64/trap.c:427
#8  <signal handler called>
#9  udp6_input (mp=<optimized out>, offp=<optimized out>, 
    proto=<optimized out>)
    at /opt/src/svn-current/sys/netinet6/udp6_usrreq.c:424
#10 0xffffffff808123e8 in ip6_input (m=0xfffff80005044400)
    at /opt/src/svn-current/sys/netinet6/ip6_input.c:962
#11 0xffffffff80721756 in netisr_dispatch_src (proto=6, 
    source=<optimized out>, m=0x1)
---Type <return> to continue, or q <return> to quit--- 
    at /opt/src/svn-current/sys/net/netisr.c:1122
#12 0xffffffff8070e1c3 in ether_demux (ifp=0xfffff80003222800, 
    m=0xfffff8000309a580) at /opt/src/svn-current/sys/net/if_ethersubr.c
:873
#13 0xffffffff8070f326 in ether_input_internal (ifp=0xfffff80003222800, 
    m=0xfffff8000309a580) at /opt/src/svn-current/sys/net/if_ethersubr.c
:661
#14 ether_nh_input (m=<optimized out>)
    at /opt/src/svn-current/sys/net/if_ethersubr.c:691
#15 0xffffffff80721756 in netisr_dispatch_src (proto=5, 
    source=<optimized out>, m=0x1)
    at /opt/src/svn-current/sys/net/netisr.c:1122
#16 0xffffffff8070e5c4 in ether_input (ifp=0xfffff80003222800, m=0x0)
    at /opt/src/svn-current/sys/net/if_ethersubr.c:781
#17 0xffffffff813fdb81 in sk_rxeof (sc_if=<optimized out>)
    at /opt/src/svn-current/sys/dev/sk/if_sk.c:2792
#18 0xffffffff813fd168 in sk_intr (xsc=0xfffff800031ac600)
    at /opt/src/svn-current/sys/dev/sk/if_sk.c:3119
#19 0xffffffff805ce299 in intr_event_execute_handlers (p=<optimized out>
,
    ie=0xfffff8000205e500) at /opt/src/svn-current/sys/kern/kern_intr.c:
1013
#20 0xffffffff805ce5a7 in ithread_execute_handlers (ie=<optimized out>, 
    p=<optimized out>) at /opt/src/svn-current/sys/kern/kern_intr.c:1026
#21 ithread_loop (arg=0xfffff80003029f60)
    at /opt/src/svn-current/sys/kern/kern_intr.c:1106
#22 0xffffffff805cb553 in fork_exit (
---Type <return> to continue, or q <return> to quit---q
callout=0xffffffff805ce4c0 <ithread_loop>, Quit
(kgdb) frame 9
#9  udp6_input (mp=<optimized out>, offp=<optimized out>, 
    proto=<optimized out>)
    at /opt/src/svn-current/sys/netinet6/udp6_usrreq.c:424
424			if (__predict_true(inp->inp_flags2 & INP_FREED) == 0) {
(kgdb) l
419				UDPSTAT_INC(udps_noport);
420				UDPSTAT_INC(udps_noportmcast);
421				goto badheadlocked;
422			}
423			INP_RLOCK(last);
424			if (__predict_true(inp->inp_flags2 & INP_FREED) == 0) {
425				UDP_PROBE(receive, NULL, last, ip6, last, uh);
426				if (udp6_append(last, m, off, fromsa) == 0)
427					INP_RUNLOCK(last);
428			} else
(kgdb) p last
$1 = <optimized out>
(kgdb) p inp->inp_flags2
value has been optimized out
(kgdb) p inp
$2 = <optimized out>
(kgdb) 

-- 
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX:  <cy at FreeBSD.org>   Web:  http://www.FreeBSD.org

	The need of the many outweighs the greed of the few.