panic: kernel diagnostic assertion "!ISSET(rt->rt_flags, RTF_LOCAL)" failed

Sat, 18 Apr 2020 09:20:04 -0700 

Hi,

I encountered a reproducible kernel panic during an accidental IPv6
misconfiguration. In order to reproduce, the OpenBSD machine must be in
the same subnet as a router that has fe80::1/64 configured and sends
IPv6 route advertisements, for example with radvd using this config:

  interface eth0 {
    AdvSendAdvert on;
    MinRtrAdvInterval 10;
    MaxRtrAdvInterval 30;
    prefix 2001:db8::/64 {
      AdvOnLink on;
      AdvAutonomous on;
      AdvRouterAddr on;
    };
  };

With this setup, I was able to to reliably trigger the assertion using
the following steps:

- Install Openbsd using 6.6/amd64 install66.iso
  - IPv4: none
  - IPv6: autoconf
- Reboot into system, log in
- echo inet6 alias fe80::1 64 >> /etc/hostname.vio0
  # The file now contains the following:
  #   inet6 autoconf
  #   inet6 alias fe80::1 64
- Reboot and log in again
- ping6 2001::
  # The exact address doesn't seem to matter, it also doesn't have to
  # respond or anything. Sometimes this step isn't even necessary as the
  # panic occurs by itself after the login prompt.
- Wait a bit (less than a minute in my case) and observe the panic

These steps ignore installing updates, however, this can also be
reproduced after using syspatch. The boot and panic log below was
created using the latest kernel available on 6.6. In case it's relevant,
I observed this in a QEMU VM running on Debian sid using libvirt.

Julian




>> OpenBSD/amd64 BOOT 3.45
boot>
booting hd0a:/bsd: 12670280+2937872+333136+0+704512
[992525+128+1010520+739210]=0x127fc78
entry point at 0xffffffff81001000

[ using 2743416 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
        The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2019 OpenBSD. All rights reserved.
https://www.OpenBSD.org


OpenBSD 6.6 (GENERIC) #8: Fri Apr 17 13:49:18 MDT 2020

[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1056800768 (1007MB)

avail mem = 1012199424 (965MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5ad0 (9 entries)
bios0: vendor SeaBIOS version "1.13.0-1" date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS), 2295.05 MHz, 06-3a-09
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,HV,NXE,RDTSCP,LONG,LAHF,FSGSBASE,TSC_ADJUST,SMEP,ERMS,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,ARAT,XSAVEOPT,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped

cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 999MHz
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0: _OSC failed
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
cpu0: using VERW MDS workaround
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
atapiscsi0 at pciide0 channel 0 drive 0

scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0
int 9
iic0 at piixpm0

vga1 at pci0 dev 2 function 0 "Red Hat QXL Video" rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 52:54:00:f6:d7:f8
virtio0: msix shared
azalia0 at pci0 dev 4 function 0 "Intel 82801FB HD Audio" rev 0x01: apic
0 int 11
azalia0: No codecs found

uhci0 at pci0 dev 5 function 0 "Intel 82801I USB" rev 0x03: apic 0 int 10
uhci1 at pci0 dev 5 function 1 "Intel 82801I USB" rev 0x03: apic 0 int 10
uhci2 at pci0 dev 5 function 2 "Intel 82801I USB" rev 0x03: apic 0 int 11
ehci0 at pci0 dev 5 function 7 "Intel 82801I USB" rev 0x03: apic 0 int 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev
2.00/1.00 addr 1
virtio1 at pci0 dev 6 function 0 "Qumranet Virtio Console" rev 0x00

virtio1: no matching child driver; not configured
virtio2 at pci0 dev 7 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio2
scsibus2 at vioblk0: 2 targets
sd0 at scsibus2 targ 0 lun 0: <VirtIO, Block Device, >
sd0: 4096MB, 512 bytes/sector, 8388608 sectors
virtio2: msix shared
virtio3 at pci0 dev 8 function 0 "Qumranet Virtio Memory Balloon" rev 0x00
viomb0 at virtio3
virtio3: apic 0 int 11
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0

uhub2 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0

uhub3 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation)

vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (3d6254e642465075.a) swap on sd0b dump on sd0b
Automatic boot in progress: starting file system checks.
/dev/sd0a (3d6254e642465075.a): file system is clean; not checking
/dev/sd0e (3d6254e642465075.e): file system is clean; not checking
/dev/sd0d (3d6254e642465075.d): file system is clean; not checking
pf enabled
starting network
vio0: DAD detected duplicate IPv6 address fe80:1::1: NS in/out=0/1, NA in=1
vio0: DAD complete for fe80:1::1 - duplicate found
vio0: manual intervention required
reordering libraries:ndp info overwritten for fe80:1::1 by
76:fa:d3:57:ec:56 on vio0
fd0 at fdc0 drive 1: density unknown

 done.
starting early daemons: syslogd pflogd ntpd.
starting RPC daemons:.
savecore: no core dump
checking quotas: done.
clearing /tmp
kern.securelevel: 0 -> 1
creating runtime link editor directory cache.
preserving editor files.
starting network daemons: smtpd sndiod.
starting local daemons: cron.
Sat Apr 18 09:58:47 MDT 2020

OpenBSD/amd64 (testbox.my.domain) (tty00)

login: panic: kernel diagnostic assertion "!ISSET(rt->rt_flags,
RTF_LOCAL)" failed: file "/usr/src/sys/netinet6/nd6.c", line 727
Stopped at      db_enter+0x10:  popq    %rbp

    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*434286  82015      0     0x14000 0x40000200    0  softclock
db_enter() at db_enter+0x10
panic() at panic+0x128
__assert(ffffffff81c8d9ed,ffffffff81c94f4e,2d7,ffffffff81c73674) at
__assert+0x
2b

nd6_free(fffffd803ef181c0) at nd6_free+0x12f
nd6_llinfo_timer(fffffd803ef181c0) at nd6_llinfo_timer+0x19e
nd6_timer(ffffffff81fb2f00) at nd6_timer+0x64
softclock_thread(ffff800014a1b148) at softclock_thread+0xdb
end trace frame: 0x0, count: 8
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 30917  462064  12675      0  3        0x82  fsleep        ld
 30917   50234  12675      0  2   0x4000002                ld
 12675  470479  49675      0  3    0x10008a  pause         sh
 49675  177653  61607      0  3    0x10008a  pause         make
 10635  273908      1      0  3    0x100083  ttyin         getty
 79377   69862      1      0  3    0x100083  ttyin         getty
 27821  400641      1      0  3    0x100083  ttyin         getty
 71116  184959      1      0  3    0x100083  ttyin         getty
 34272  124159      1      0  3    0x100083  ttyin         getty
 59618  287702      1      0  3    0x100083  ttyin         getty
 61607  341828      1      0  3    0x10008b  pause         ksh
 68003  105751      1      0  3    0x100098  poll          cron
 69568  137331      1    110  3    0x100090  poll          sndiod
 45393  108097      1     99  3    0x100090  poll          sndiod
 10692  142719  11877     95  3    0x100092  kqread        smtpd
 72785  475177  11877    103  3    0x100092  kqread        smtpd
 39401   15771  11877     95  3    0x100092  kqread        smtpd
 68182  398755  11877     95  3    0x100092  kqread        smtpd
 94147  391381  11877     95  3    0x100092  kqread        smtpd
 43413  444078  11877     95  3    0x100092  kqread        smtpd
 11877  323190      1      0  3    0x100080  kqread        smtpd
 47944   38114      1      0  3    0x100080  poll          ntpd
 69817  382296  46647     83  3    0x100092  poll          ntpd
 46647   20569      1     83  3    0x100092  poll          ntpd
 46974   44927  43542     74  3    0x100092  bpf           pflogd
 43542  397684      1      0  3        0x80  netio         pflogd
  6457  484373  57783     73  3    0x100090  kqread        syslogd
 57783  333781      1      0  3    0x100082  netio         syslogd
 34094  204894  25759    115  3    0x100092  kqread        slaacd
  6570   87351  25759    115  3    0x100092  kqread        slaacd
 25759  163994      1      0  3    0x100080  kqread        slaacd
 91971  348009      0      0  3     0x14200  pgzero        zerothread
  7008  347814      0      0  3     0x14200  aiodoned      aiodoned
 87180  120215      0      0  3     0x14200  syncer        update
 47990  344798      0      0  3     0x14200  cleaner       cleaner
   907  519847      0      0  3     0x14200  reaper        reaper
 95872   14724      0      0  3     0x14200  pgdaemon      pagedaemon
 77908  394307      0      0  3     0x14200  bored         crynlk
 68404  270180      0      0  3     0x14200  bored         crypto
 15416  400079      0      0  3     0x14200  bored         viomb
 85721  259011      0      0  3     0x14200  usbtsk        usbtask
  1072  170263      0      0  3     0x14200  usbatsk       usbatsk
  4965  516092      0      0  3  0x40014200  acpi0         acpi0
 44604  130358      0      0  3     0x14200  bored         softnet
  1336   87255      0      0  3     0x14200  bored         systqmp
 67855   54591      0      0  3     0x14200  bored         systq
*82015  434286      0      0  7  0x40014200                softclock
 63564  370232      0      0  3  0x40014200                idle0
 51852  249487      0      0  3     0x14200  bored         smr
     1  181023      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> trace
db_enter() at db_enter+0x10
panic() at panic+0x128
__assert(ffffffff81c8d9ed,ffffffff81c94f4e,2d7,ffffffff81c73674) at
__assert+0x
2b

nd6_free(fffffd803ef181c0) at nd6_free+0x12f
nd6_llinfo_timer(fffffd803ef181c0) at nd6_llinfo_timer+0x19e
nd6_timer(ffffffff81fb2f00) at nd6_timer+0x64
softclock_thread(ffff800014a1b148) at softclock_thread+0xdb
end trace frame: 0x0, count: -7

Reply via email to