On 18 Nov 2019, at 21:59, Bjoern A. Zeeb wrote:
Author: bz
Date: Mon Nov 18 21:59:47 2019
New Revision: 354832
URL: https://svnweb.freebsd.org/changeset/base/354832
Log:
icmpv6: Fix mbuf change in mld
After r354748 mld_input() can change the mbuf. The new pointer
is never returned to icmp6_input() and when passed to
icmp6_rip6_input() the mbuf may no longer valid leading to
a panic.
Pass a pointer to the mbuf to mld_input() so we can return an
updated version in the non-error case.
Add a test sending an MLD packet case which will trigger this bug.
The test case currently (after this commit) also triggers an epoch
assert which is unrelated to these changes.
Just in case anyone wonders in case they still see a panic with the
changes applied.
The original problem manifested itself like this:
Fatal trap 9: general protection fault while in kernel mode
cpuid = 0; apic id = 02
instruction pointer = 0x20:0xffffffff80e0a7e3
stack pointer = 0x28:0xfffffe00acfea5f0
frame pointer = 0x28:0xfffffe00acfea780
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (swi1: netisr 0)
trap number = 9
panic: general protection fault
cpuid = 0
time = 1574113185
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame
0xfffffe00acfea2d0
vpanic() at vpanic+0x17e/frame 0xfffffe00acfea330
panic() at panic+0x43/frame 0xfffffe00acfea390
trap_fatal() at trap_fatal+0x386/frame 0xfffffe00acfea3f0
trap() at trap+0x67/frame 0xfffffe00acfea520
calltrap() at calltrap+0x8/frame 0xfffffe00acfea520
--- trap 0x9, rip = 0xffffffff80e0a7e3, rsp = 0xfffffe00acfea5f0, rbp =
0xfffffe00acfea780 ---
icmp6_input() at icmp6_input+0xf83/frame 0xfffffe00acfea780
ip6_input() at ip6_input+0xd1e/frame 0xfffffe00acfea860
netisr_dispatch_src() at netisr_dispatch_src+0xb1/frame
0xfffffe00acfea8e0
ether_demux() at ether_demux+0x16e/frame 0xfffffe00acfea910
ether_nh_input() at ether_nh_input+0x408/frame 0xfffffe00acfea970
netisr_dispatch_src() at netisr_dispatch_src+0xb1/frame
0xfffffe00acfea9f0
ether_input() at ether_input+0x9d/frame 0xfffffe00acfeaa70
epair_nh_sintr() at epair_nh_sintr+0x17/frame 0xfffffe00acfeaa90
swi_net() at swi_net+0x1c3/frame 0xfffffe00acfeab50
ithread_loop() at ithread_loop+0x1c6/frame 0xfffffe00acfeabb0
fork_exit() at fork_exit+0x80/frame 0xfffffe00acfeabf0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00acfeabf0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
[ thread pid 12 tid 100027 ]
Stopped at kdb_enter+0x37: movq $0,0x108a776(%rip)
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
