Bug 229807 - route6d terminate with signal 11
Summary: route6d terminate with signal 11
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 11.2-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: Mark Johnston
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2018-07-16 14:56 UTC by John Hay
Modified: 2018-08-23 21:25 UTC (History)
1 user (show)

See Also:

Attachments
patch that I am using (477 bytes, patch)
2018-07-16 14:56 UTC, John Hay 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Hay 2018-07-16 14:56:01 UTC 
Created attachment 195173 [details]
patch that I am using

I have a small ntp server (PC Engines APU), with an ipv6 subnet on lo0 with route6d to advertise it. A few minutes after almost every reboot, route6d will crash with a sig 11. If I then restart route6d, it will run until the next time I reboot. I think it is when re0 finally gets a global ipv6 address.

Currently it is running 11.2, but the problem is not new. It has been there in 10.x and before.

A sanitised piece of rc.conf looks like this:

<snip>
# Disable to make ipv6 work
ifconfig_re0="-rxcsum -txcsum"
ipv4_addrs_re0="X.Y.8.18/24"
ipv4_addrs_lo0="X.Y.58.41/32"
ifconfig_re0_ipv6="inet6 accept_rtadv"
ifconfig_lo0_alias0="inet6 2001:A:B:C::1/64"
defaultrouter="X.Y.8.1"
route6d_enable="YES"
route6d_flags="-s"
ipv6_gateway_enable="YES"
</snip>

Gdb says:

<snip>
root@tick:/ # gdb /usr/sbin/route6d /route6d.old.core
GNU gdb 6.1.1 [FreeBSD]
...
Core was generated by `/usr/sbin/route6d -s'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.7...Reading symbols from /usr/lib/debug//lib/libc.so.7.debug...done.
done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...Reading symbols from /usr/lib/debug//libexec/ld-elf.so.1.debug...done.
done.
Loaded symbols for /libexec/ld-elf.so.1
#0  ifrt (ifcp=0x800e38000, again=1) at /usr/src/usr.sbin/route6d/route6d.c:2206
2206                    TAILQ_REMOVE(&riprt_head, rrt, rrt_next);
(gdb)
</snip>

Looking at the code, I think rrt should not be removed, but rather search_rrt and it should be freed afterwards? Route6d has now survived a few reboots with the following patch.

<snip>
--- route6d.c.org       2018-06-22 01:03:51.000000000 +0200
+++ route6d.c   2018-07-08 08:23:53.279925000 +0200
@@ -2203,8 +2203,9 @@
                                        goto next;
                                }
 
-                               TAILQ_REMOVE(&riprt_head, rrt, rrt_next);
-                               delroute(&rrt->rrt_info, &rrt->rrt_gw);
+                               TAILQ_REMOVE(&riprt_head, search_rrt, rrt_next);
+                               delroute(&search_rrt->rrt_info, &search_rrt->rrt_gw);
+                               free(search_rrt);
                        }
                        /* Attach the route to the list */
                        trace(1, "route: %s/%d: register route (%s)\n",
</snip>
Comment 1 commit-hook freebsd_committer freebsd_triage 2018-08-08 20:16:37 UTC 
A commit references this bug:

Author: markj
Date: Wed Aug  8 20:15:41 UTC 2018
New revision: 337500
URL: https://svnweb.freebsd.org/changeset/base/337500

Log:
  Use the right variable when updating interface routes.

  PR:		229807
  Submitted by:	John Hay <jhay@meraka.org.za>
  MFC after:	2 weeks

Changes:
  head/usr.sbin/route6d/route6d.c
Comment 2 Mark Johnston freebsd_committer freebsd_triage 2018-08-08 20:17:38 UTC 
Thanks for the patch.  I'll merge it to the stable/11 branch in a couple of weeks.
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-08-23 21:24:44 UTC 
A commit references this bug:

Author: markj
Date: Thu Aug 23 21:24:23 UTC 2018
New revision: 338279
URL: https://svnweb.freebsd.org/changeset/base/338279

Log:
  MFC r337500:
  Use the right variable when updating interface routes.

  PR:	229807

Changes:
_U  stable/11/
  stable/11/usr.sbin/route6d/route6d.c