Bug 176596 - [firewire] [ip6] Crash with IPv6 and Firewire
Summary: [firewire] [ip6] Crash with IPv6 and Firewire
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 9.1-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: Andrey V. Elsukov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-02 04:50 UTC by YOSHIFUJI Hideaki
Modified: 2018-10-02 19:30 UTC (History)
1 user (show)

See Also:
bugmeister: mfc-stable10?
bugmeister: mfc-stable9?
bugmeister: mfc-stable8?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description YOSHIFUJI Hideaki 2013-03-02 04:50:00 UTC
When try to ping6 peer (addreess is fe80::1, for example) over firewire, it immediately crashes.

Stack trace is as follows:

kbd_backtrace
panic
trap_fatal
trap_pfault
trap
calltrap
nd6_llinfo_settimer_locked
nd6_na_input
icmp6_input
ip6_input
netisr_dispatch_src
netisr_dispatch
firewire_input
fwip_unicast_input
fw_rcv
fwohci_arcv
fwohci_task_dma
taskqueue_run_locked

How-To-Repeat: Let ${peer_eui64} EUI-64 of your peer on fwip0, then
$ ping6 fe80::${peer_eui64}%fwip0
Comment 1 YOSHIFUJI Hideaki 2013-03-02 05:18:10 UTC
See full stack trace at:
https://twitter.com/yoshfuji/status/307707100627337216/photo/1
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2013-03-02 23:34:38 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s).
Comment 3 Andrey V. Elsukov freebsd_committer freebsd_triage 2013-06-14 16:40:18 UTC
Responsible Changed
From-To: freebsd-net->ae

Take it.
Comment 4 Andrey V. Elsukov freebsd_committer freebsd_triage 2013-06-30 17:25:19 UTC
Hi,

It seems to me, that in the nd6_cache_lladdr() function at the lines:

1592         if (lladdr) {           /* (3-5) and (7) */
1593                 /*
1594                  * Record source link-layer address
1595                  * XXX is it dependent to ifp->if_type?
1596                  */
1597                 bcopy(lladdr, &ln->ll_addr, ifp->if_addrlen);

bcopy overwrites part of lle_timer struct and then this triggers panic
in the callout_reset().

-- 
WBR, Andrey V. Elsukov
Comment 5 Andrey V. Elsukov freebsd_committer freebsd_triage 2013-06-30 22:50:35 UTC
State Changed
From-To: open->analyzed

fwip(4) has 16-bytes sized hw address, but struct llenetry 
expects only 8-bytes. In the nd6_cache_lladdr() occurs 
overwriting of lle_timer field and this leads to panic in 
callout_reset().
Comment 6 Andrey V. Elsukov freebsd_committer freebsd_triage 2013-11-22 04:46:30 UTC
State Changed
From-To: analyzed->patched

This has been fixed in head/ with r254823. Thanks!