Running the first set of example commands from the pair(4) man page
crashes the kernel on at least sparc64 and octeon.
# ifconfig pair1 rdomain 1 10.1.1.1/24 up
# ifconfig pair2 rdomain 2 10.1.1.2/24 up
# ifconfig pair1 patch pair2
# route -T 1 exec ping 10.1.1.2
A netcat<->telnet connection from 10.1.1.1 to 10.1.1.2 works.
It seems the problem only happens with ping, or short packets in general.
It looks like the crash is happening while processing the icmp echo reply.
This code in ip_input_if() calls m_pullup() which ends up setting m->m_data
to an unaligned address:
if (m->m_len < sizeof (struct ip) &&
(m = *mp = m_pullup(m, sizeof (struct ip))) == NULL) {
ipstat_inc(ips_toosmall);
goto bad;
}
ip = mtod(m, struct ip *);
if (ip->ip_v != IPVERSION) { // we crash here because ip is misaligned
Note that pair(4) has dequeued this mbuf from its send queue and doesn't
modify it except for resetting the packet header if it exists.
Trace from sparc64:
panic: trap type 0x34 (mem address not aligned): pc=11336d4 npc=11336d8
pstate=44820006<PRIV,IE>
Stopped at db_enter+0x8: nop
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*291733 6703 0 0x14000 0x200 0 softnet
trap(40016e6b890, 34, 11336d4, 44820006, 400023ff800, 8848) at trap+0x2e0
Lslowtrap_reenter(400023ace00, 0, ffffffffffffffff, 1c176d0, 40000, 1) at
Lslowtrap_reenter+0xf8
ip_input_if(40016e6bb48, 40016e6bb54, 4, 0, 400023ff800, 8848) at
ip_input_if+0x120
ipv4_input(400023ff800, 18184e8, ffffffffffffffff, 1c176d0, 40000, 1) at
ipv4_input+0x3c
ether_input(400023ff800, 400023ace00, 0, 16545e8, aaaa, 8848) at
ether_input+0xc8
if_input_process(400021607c0, 40016e6bde0, 131cb20, 1c176d0, 40000, 0) at
if_input_process+0x11c
taskq_thread(4000216c080, 40002142fc0, 1758938, 16545e8, 0, 3b9ac800) at
taskq_thread+0x6c
proc_trampoline(0, 0, 0, 0, 0, 0) at proc_trampoline+0x14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.
Insufficient info makes it difficult to find and fix bugs.
