(analysis) Re: ipv6 causing panic?

Matthew Dillon dillon at apollo.backplane.com
Mon Jan 31 08:45:12 PST 2005 

:I've updated to the latest current sources, and when I bring up
:my default ipv6 route I get a panic a few seconds later.  Kernel
:and crash dump can be found at:
:
: http://www.theshell.com/~pavalos/crash/
:
:...
:
:Peter

    It looks like it is IPV6 related.  It crashed somewhere in 
    in6ifa_ifpwithaddr().

    Peter, On January 19th I did make a commit which synchronized the
    use of the interface pointer with consumers when an ifp is freed.
    Synchronize your sources and make doubly sure that your kernel has
    those fixes:

  1.25      +7 -2      src/sys/net/if.c
  1.23      +78 -3     src/sys/net/netisr.c
  1.21      +2 -1      src/sys/net/netisr.h
  1.30      +2 -2      src/sys/netinet/ip_demux.c


    From what I can tell, the packet's interface pointer is pointing
    to memory which is no longer an interface structure.  It's possible
    that my fixes aren't sufficient for IPV6.  Hmm.  or for packet fragment
    processing either, since a message may bounce around more then one 
    thread.  But I am a bit at a loss as to why the interface pointer is
    bad because you weren't bringing down an interface at the time of the
    crash (were you?)

/*
 * find the internet address corresponding to a given interface and address.
 */
struct in6_ifaddr *
in6ifa_ifpwithaddr(struct ifnet *ifp, struct in6_addr *addr)
{
        struct ifaddr *ifa;
  
        TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list)
        {
                if (ifa->ifa_addr == NULL)		<<<<<<<< CRASHED HERE
                        continue;       /* just for safety */
                if (ifa->ifa_addr->sa_family != AF_INET6)
                        continue;
                if (IN6_ARE_ADDR_EQUAL(addr, IFA_IN6(ifa)))
                        break;
        }

        return((struct in6_ifaddr *)ifa);
}

    The ifa pointer is bogus, it is 0x6e62696c which are obviously ascii
    characters and not a pointer.

    The sequence is:

    ip6_input() -> icmp6_input() -> nd6_na_input() -> in6ifa_ifpwithaddr()

    It looks to me like m->m_pkthdr.rcvif is bad.

    (kgdb) print $5 
    $8 = (struct mbuf *) 0xd5ea9200
    (kgdb) print *$5
$15 = {
  m_hdr = {
    mh_next = 0x0, 
    mh_nextpkt = 0x0, 
    mh_data = 0xc3756824 "`", 
    mh_len = 0x40, 
    mh_type = 0x1, 
    mh_flags = 0x4003			<<< M_EXT, M_PKTHDR, M_EXT_CLUSTER
  }, 
  M_dat = {
    MH = {
      MH_pkthdr = {
        rcvif = 0xc37a4fac, 		<<< rcvif pointer looks ok
        len = 0x40, 			<<< header length looks ok
        tags = {
          slh_first = 0xc3845180
        }, 
        header = 0x0, 
        csum_flags = 0x300, 
        csum_data = 0x10, 
        pf_flags = 0x0, 
        pf_tag = 0x0, 
        pf_routed = 0x0, 
        pf_unused01 = 0x0
      }, 
      MH_dat = {
        MH_ext = {
          ext_buf = 0xc3756800 "", 
          ext_nfree = {
            old = 0xc0195898 <m_mclfree>, 
            new = 0xc0195898 <m_mclfree>, 
            any = 0xc0195898
          }, 
          ext_size = 0x800, 
          ext_nref = {
            old = 0xc0195940 <m_mclref>, 
            new = 0xc0195940 <m_mclref>, 
            any = 0xc0195940
          }, 
          ext_arg = 0xc37a1340
        }, 
	...
	
    (kgdb) print *$5->M_dat.MH.MH_pkthdr.rcvif
    $14 = {
      if_softc = 0xde664800, 			<<<< ALL BOGUS
      if_link = {
	tqe_next = 0x6362696c, 			<<<< ALL BOGUS
	tqe_prev = 0x2e6f732e			<<<< ALL BOGUS
      }, 
      if_xname = "4\000le.so\000libm.so.", 
      if_dname = 0x32---Can't read userspace from dump, or kernel process---


					-Matt
					Matthew Dillon 
					<dillon at xxxxxxxxxxxxx>

More information about the Bugs mailing list