Hello bugs@
Trying to use mgre(4), I found what looks like a reliable way to crash
the kernel which might be of interest.
This machine is a one-month-old-current fairly light router, with inet
default within rdomain 1. I will upgrade to a more recent snap
shortly.
*** Setup
First I created an mgre interface:
# ifconfig mgre0 create
# ifconfig mgre0 tunneldomain 1
# ifconfig mgre0 tunneladdr 198.51.100.162
# ifconfig mgre0 inet 192.0.2.1/24
# ifconfig mgre0 up
# ifconfig mgre0
mgre0: flags=8841<UP,RUNNING,SIMPLEX,MULTICAST> mtu 1476
index 10 priority 0 llprio 3
encap: vnetid none txprio payload rxprio packet
groups: mgre
tunnel: inet 198.50.250.162 ttl 64 nodf ecn rdomain 1
inet 192.0.2.1 netmask 0xffffff00
So far, so good. Then I added a route towards the destination,
although in the wrong table (I know... silly me):
# route -T1 add -host 192.0.2.2 212.129.29.29 -iface -ifp mgre0
# route -T1 -n show -inet
Destination Gateway Flags Refs Use Mtu Prio Iface
default 158.69.55.254 UGS 5 14957 - 8 vio0
158.69.55.254 00:ff:ff:ff:ff:ff UHLSh 1 17 - 8 vio0
192.0.2.2 212.129.29.29 UHS 0 0 - 8 mgre0
198.50.250.162 02:00:00:ef:3d:d7 UHLl 0 4445 - 1 vio0
198.50.250.162/32 198.50.250.162 UCn 0 0 - 4 vio0
Adding the correct route worked as expected:
# route add -host 192.0.2.2 212.129.29.29 -iface -ifp mgre0
add host 192.0.2.2: gateway 212.129.29.29
$ route -n show -inet
Destination Gateway Flags Refs Use Mtu Prio Iface
192.0.2/24 192.0.2.1 UCn 0 0 - 4 mgre0
192.0.2.1 mgre0 UHl 0 0 - 1 mgre0
192.0.2.2 212.129.29.29 UHS 0 0 - 8 mgre0
And instead of removing the route first (dumb me again), I first
downed the interface then destroyed it:
# ifconfig mgre0 down
# ifconfig mgre0 destroy
The route was correctly removed from rdomain 0, but not rdomain 1:
$ route -T1 -n show -inet
Destination Gateway Flags Refs Use Mtu Prio Iface
default 158.69.55.254 UGS 8 18400300 - 8 vio0
158.69.55.254 00:ff:ff:ff:ff:ff UHLSh 1 18558 - 8 vio0
192.0.2.2 212.129.29.29 UHS 0 0 -
8 (null) <<<<
198.50.250.162 02:00:00:ef:3d:d7 UHLl 0 2567768 - 1 vio0
198.50.250.162/32 198.50.250.162 UCn 0 0 - 4 vio0
And then here the host crashes when the following command is entered:
$ doas route -T1 del 192.0.2.2
*** Fix:
Don't do that. Delete the route before destroying the interface.
*** ddb output:
ddb> show panic
kernel diagnostic assertion "ifp != NULL" failed: file
"/usr/src/sys/net/rtsock.c", line 973
ddb> trace
db_enter() at db_enter+0x10
panic(ffffffff81dca15b) at panic+0x12a
__assert(ffffffff81e32a47,ffffffff81e453a8,3cd,ffffffff81d9f3ec) at __assert+0x
2b
rtm_output(ffff800000077780,ffff80000e80f410,ffff80000e80f368,40,1) at rtm_outp
ut+0x7ee
route_output(fffffd801ab0c400,fffffd800bc8d688,0,0) at route_output+0x3c3
route_usrreq(fffffd800bc8d688,9,fffffd801ab0c400,0,0,ffff80000e7165a8) at route
_usrreq+0x21a
sosend(fffffd800bc8d688,0,ffff80000e80f668,0,0,0) at sosend+0x35b
dofilewritev(ffff80000e7165a8,3,ffff80000e80f668,0,ffff80000e80f740) at dofilew
ritev+0x14d
sys_write(ffff80000e7165a8,ffff80000e80f6e0,ffff80000e80f740) at sys_write+0x51
syscall(ffff80000e80f7b0) at syscall+0x315
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffd7830, count: -11
ddb> ps
PID TID PPID UID S FLAGS WAIT COMMAND
*24152 141518 73869 0 7 0x100003 route
49518 188379 45656 1000 3 0x100083 ttyin ksh
94287 357692 57872 1000 3 0x8b pause screen
57872 185593 92296 1000 3 0x10008b pause ksh
92296 127811 4690 1000 3 0x90 select sshd
4690 197172 85507 0 3 0x92 poll sshd
29860 469114 1 0 3 0x100083 ttyin getty
73869 393393 45656 1000 3 0x10008b pause ksh
45656 405711 1 1000 3 0x80 select screen
85507 417107 1 0 3 0x80 select sshd
1937 376184 70354 1000 3 0x100083 ttyin ksh
70354 95367 21602 1000 3 0x90 select sshd
21602 505612 1 0 3 0x92 poll sshd
76106 521289 1 0 3 0x100098 poll cron
57436 208740 77558 95 3 0x100092 kqread smtpd
48005 93137 77558 103 3 0x100092 kqread smtpd
98080 297758 77558 95 3 0x100092 kqread smtpd
31269 322224 77558 95 3 0x100092 kqread smtpd
28729 170519 77558 95 3 0x100092 kqread smtpd
35108 230328 77558 95 3 0x100092 kqread smtpd
77558 293635 1 0 3 0x100080 kqread smtpd
57214 40748 25486 75 3 0x100092 poll bgpd
13995 8899 25486 75 3 0x100092 poll bgpd
25486 105584 1 0 3 0x80 poll bgpd
81692 464433 1 0 3 0x100080 poll ntpd
33077 346121 16122 83 3 0x100092 poll ntpd
16122 179069 1 83 3 0x100092 poll ntpd
70295 203975 58081 74 3 0x100092 bpf pflogd
58081 404937 1 0 3 0x80 netio pflogd
55529 226080 15042 73 3 0x100090 kqread syslogd
15042 311781 1 0 3 0x100082 netio syslogd
19270 3217 1 0 3 0x80 select tincd
47457 99214 0 0 3 0x14200 bored wg_crypt
86076 132333 0 0 3 0x14200 bored wg_handshake
57137 490246 0 0 3 0x14200 bored wg_handshake
92859 366635 52673 115 3 0x100092 kqread slaacd
49365 41477 52673 115 3 0x100092 kqread slaacd
52673 451489 1 0 3 0x100080 kqread slaacd
91608 261626 0 0 3 0x14200 bored smr
84451 402630 0 0 2 0x14200 zerothread
23167 149792 0 0 3 0x14200 aiodoned aiodoned
59344 469555 0 0 3 0x14200 syncer update
37998 398762 0 0 3 0x14200 cleaner cleaner
98934 292214 0 0 3 0x14200 reaper reaper
14355 357910 0 0 3 0x14200 pgdaemon pagedaemon
17709 78338 0 0 3 0x14200 bored crynlk
66278 483611 0 0 3 0x14200 bored crypto
73934 104641 0 0 3 0x14200 usbtsk usbtask
87686 384984 0 0 3 0x14200 usbatsk usbatsk
48998 482709 0 0 3 0x14200 bored viomb
50168 519368 0 0 3 0x40014200 acpi0 acpi0
91276 21286 0 0 3 0x14200 bored softnet
81821 394981 0 0 3 0x14200 bored systqmp
32920 311097 0 0 3 0x14200 bored systq
95709 348457 0 0 3 0x40014200 bored softclock
39930 198295 0 0 3 0x40014200 idle0
1 502039 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb> show reg
rdi 0xffffffff820d3a00 kprintf_mutex
rsi 0x5
rbp 0xffff80000e80f1f0
rbx 0xffff80000e80f200
rdx 0x3fd
rcx 0x7e00000000039a52
rax 0x1
r8 0xffff80000e80f1b0
r9 0
r10 0x5ecf53d35a009bea
r11 0x6af3ee9d221e4694
r12 0x3000000008
r13 0xffff80000e80f2a0
r14 0x100
r15 0xffffffff81dca15b cmd0646_9_tim_udma+0x262a9
rip 0xffffffff81747e90 db_enter+0x10
cs 0x8
rflags 0x202
rsp 0xffff80000e80f1f0
ss 0x10
db_enter+0x10: popq %rbp
*** dmesg:
OpenBSD 6.8-current (GENERIC) #147: Sat Oct 31 18:07:36 MDT 2020
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 519954432 (495MB)
avail mem = 489062400 (466MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5770 (9 entries)
bios0: vendor SeaBIOS version
"rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org" date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC SSDT HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Common KVM processor, 3392.71 MHz, 0f-06-01
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,x2APIC,HV,NXE,LONG,LAHF,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 999MHz
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpihpet0 at acpi0: 100000000 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
"QEMUVGID" at acpi0 not configured
acpicpu0 at acpi0: C1(@1 halt!)
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02
wsdisplay at vga1 not configured
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Memory Balloon" rev 0x00
viomb0 at virtio0
virtio0: apic 0 int 11
ahci0 at pci0 dev 7 function 0 "Intel 82801I AHCI" rev 0x02: apic 0
int 11, AHCI 1.0
ahci0: port 0: 1.5Gb/s
scsibus2 at ahci0: 32 targets
sd0 at scsibus2 targ 0 lun 0: <ATA, QEMU HARDDISK, 2.5+>
t10.ATA_QEMU_HARDDISK_QM00005_
sd0: 32768MB, 512 bytes/sector, 67108864 sectors, thin
virtio1 at pci0 dev 18 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio1: address 02:00:00:ef:3d:d7
virtio1: msix shared
ppb0 at pci0 dev 30 function 0 "Red Hat Qemu PCI-PCI" rev 0x00
pci1 at ppb0 bus 1
ppb1 at pci0 dev 31 function 0 "Red Hat Qemu PCI-PCI" rev 0x00
pci2 at ppb1 bus 2
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0 mux 1
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB
Tablet" rev 2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (67f5d90308a316eb.a) swap on sd0b dump on sd0b
WARNING: / was not properly unmounted
fd0 at fdc0 drive 1: density unknown
