Bug 176596
| Summary: | [firewire] [ip6] Crash with IPv6 and Firewire | ||
|---|---|---|---|
| Product: | Base System | Reporter: | YOSHIFUJI Hideaki <yoshfuji> |
| Component: | kern | Assignee: | Andrey V. Elsukov <ae> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | CC: | emaste |
| Priority: | Normal | Flags: | bugmeister:
mfc-stable10?
bugmeister: mfc-stable9? bugmeister: mfc-stable8? |
| Version: | 9.1-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
See full stack trace at: https://twitter.com/yoshfuji/status/307707100627337216/photo/1 Responsible Changed From-To: freebsd-bugs->freebsd-net Over to maintainer(s). Responsible Changed From-To: freebsd-net->ae Take it. Hi,
It seems to me, that in the nd6_cache_lladdr() function at the lines:
1592 if (lladdr) { /* (3-5) and (7) */
1593 /*
1594 * Record source link-layer address
1595 * XXX is it dependent to ifp->if_type?
1596 */
1597 bcopy(lladdr, &ln->ll_addr, ifp->if_addrlen);
bcopy overwrites part of lle_timer struct and then this triggers panic
in the callout_reset().
--
WBR, Andrey V. Elsukov
State Changed From-To: open->analyzed fwip(4) has 16-bytes sized hw address, but struct llenetry expects only 8-bytes. In the nd6_cache_lladdr() occurs overwriting of lle_timer field and this leads to panic in callout_reset(). State Changed From-To: analyzed->patched This has been fixed in head/ with r254823. Thanks! |
When try to ping6 peer (addreess is fe80::1, for example) over firewire, it immediately crashes. Stack trace is as follows: kbd_backtrace panic trap_fatal trap_pfault trap calltrap nd6_llinfo_settimer_locked nd6_na_input icmp6_input ip6_input netisr_dispatch_src netisr_dispatch firewire_input fwip_unicast_input fw_rcv fwohci_arcv fwohci_task_dma taskqueue_run_locked How-To-Repeat: Let ${peer_eui64} EUI-64 of your peer on fwip0, then $ ping6 fe80::${peer_eui64}%fwip0