Bug 158665 - [ip6] [panic] kernel pagefault in in6_setscope()
Summary: [ip6] [panic] kernel pagefault in in6_setscope()
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords: crash
Depends on:
Blocks:
 
Reported: 2011-07-05 11:10 UTC by Mike Cui
Modified: 2022-10-17 12:17 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Cui 2011-07-05 11:10:11 UTC 
When I set up a 6to4 tunnel device (stf0) and put it in output only mode according to man stf(4):

     # ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
     # ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \
             prefixlen 16 alias deprecated link0
     # route add -inet6 2002:: -prefixlen 16 ::1
     # route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0

The kernel often crashes sending traffic to other other 2002::/16 hosts. I think the problem is the "deprecated" address that's causing problems when trying to resolve ipv6 scope.

The instruction causing the fault is:
c069cee8:       0f b1 96 18 02 00 00    cmpxchg %edx,0x218(%esi)

which I think corresponds to this line in the source:

int
in6_setscope(struct in6_addr *in6, struct ifnet *ifp, u_int32_t *ret_id)
{
        int scope;
        u_int32_t zoneid = 0;
        struct scope6_id *sid;

        IF_AFDATA_LOCK(ifp);  <----- HERE

The fault virtual address is 0x218, which seems to suggest that ifp passed into this function is NULL.

How-To-Repeat: 1. On a machine with both a public IPv6 address (not 6to4 address) as well as IPv4, create a stf0 device and put it in "output only" mode according to man stf(4).
2. Ping another host using its 6to4 address (2002::/16).
Comment 1 Mike Cui 2011-07-05 11:47:53 UTC 
Got a kernel dump, here's the stack trace. Unfortunately I didn't
build the kernel with debugging info.


#7  0xc069cee8 in in6_setscope ()
#8  0xc0685bb9 in in6_selectsrc ()
#9  0xc069aa80 in rip6_output ()
#10 0xc069b193 in rip6_send ()
#11 0xc05a7885 in sosend_generic ()
#12 0xc05a38cf in sosend ()
#13 0xc05ab139 in kern_sendit ()
#14 0xc05ab341 in sendit ()
#15 0xc05ab3f1 in sendmsg ()
#16 0xc0581d2c in syscallenter ()
#17 0xc07278a4 in syscall ()

From the stack trace, it looks like the call happened on in6_src.c:309:

        IN6_IFADDR_RLOCK();
        TAILQ_FOREACH(ia, &V_in6_ifaddrhead, ia_link) {
                int new_scope = -1, new_matchlen = -1;
                struct in6_addrpolicy *new_policy = NULL;
                u_int32_t srczone, osrczone, dstzone;
                struct in6_addr src;
                struct ifnet *ifp1 = ia->ia_ifp;

                /*
                 * We'll never take an address that breaks the scope
zone
                 * of the destination.  We also skip an address if its
zone
                 * does not contain the outgoing interface.
                 * XXX: we should probably use sin6_scope_id here.
                 */
                if (in6_setscope(&dst, ifp1, &dstzone) ||  <---- HERE
                    odstzone != dstzone) {
                        continue;
                }
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2011-07-05 23:23:14 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s).
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:31 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped
Comment 4 Graham Perrin freebsd_committer freebsd_triage 2022-10-17 12:17:15 UTC 
Keyword: 

    crash

– in lieu of summary line prefix: 

    [panic]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>