189089 – Panic when removing an IP address from an interface, if the same address exists on another interface

Bug 189089 - Panic when removing an IP address from an interface, if the same address exists on another interface

Summary: Panic when removing an IP address from an interface, if the same address exis...

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	Unspecified
Hardware:	Any Any

Importance:	Normal Affects Some People
Assignee:	Alan Somers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-28 23:50 UTC by Alan Somers
Modified:	2014-09-18 23:25 UTC (History)
CC List:	0 users

See Also:

Attachments
file.diff (2.84 KB, patch) 2014-04-28 23:50 UTC, Alan Somers	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alan Somers freebsd_committer

2014-04-28 23:50:00 UTC

If you assign the same IP address to multiple interfaces simultaneously, then remove it from one of them, the system will panic with this message:

panic: rtalloc1_fib: bad fibnum

The panic was introduced by revision 264887, which changed the fibnum parameter in the call to rtalloc1_fib() in ifa_switch_loopback_route() from RT_DEFAULT_FIB to RT_ALL_FIBS.  Prior to 264887 the call would always succeed, but it could corrupt the network stack if the route in question was not located in the default fib.  That wasn't a big deal though, since prior to 264887 it was very difficult create that route in a nondefault fib.

Fix: The solution is to use the interface fib instead of either the default fib or ALL_FIBS.  This will give equivalent behavior as the pre-264887 status quo for the majority of users.

Patch attached with submission follows:
How-To-Repeat: # # Set net.fibs=1 and net.add_addr_allfibs=1
# ifconfig tap0 create
# ifconfig tap1 create
# ifconfig tap0 192.0.0.2/24 up
# ifconfig tap1 192.0.0.2/32 up
# netstat -rn -f inet
Routing tables

Internet:
Destination        Gateway            Flags    Netif Expire
default            10.1.0.1           UGS       em0
10.1.0.0/20        link#1             U         em0
10.1.3.220         link#1             UHS       lo0
127.0.0.1          link#2             UH        lo0
192.0.0.0/24       link#3             U        tap0
192.0.0.2          link#3             UHS       lo0
192.0.0.2/32       link#4             U        tap1
# ifconfig tap1 -alias 192.0.0.2 # This line will panic!

Comment 1 dfilter service freebsd_committer

2014-04-29 15:46:48 UTC

Author: asomers
Date: Tue Apr 29 14:46:45 2014
New Revision: 265092
URL: http://svnweb.freebsd.org/changeset/base/265092

Log:
  Fix a panic when removing an IP address from an interface, if the same address
  exists on another interface.  The panic was introduced by change 264887, which
  changed the fibnum parameter in the call to rtalloc1_fib() in
  ifa_switch_loopback_route() from RT_DEFAULT_FIB to RT_ALL_FIBS.  The solution
  is to use the interface fib in that call.  For the majority of users, that will
  be equivalent to the legacy behavior.
  
  PR:		kern/189089
  Reported by:	neel
  Reviewed by:	neel
  MFC after:	3 weeks
  X-MFC with:	264887
  Sponsored by:	Spectra Logic

Modified:
  head/sys/netinet/in.c
  head/tests/sys/netinet/fibs_test.sh

Modified: head/sys/netinet/in.c
==============================================================================
--- head/sys/netinet/in.c	Tue Apr 29 12:52:36 2014	(r265091)
+++ head/sys/netinet/in.c	Tue Apr 29 14:46:45 2014	(r265092)
@@ -696,11 +696,9 @@ in_scrubprefix(struct in_ifaddr *target,
 {
 	struct in_ifaddr *ia;
 	struct in_addr prefix, mask, p, m;
-	int error = 0, fibnum;
+	int error = 0;
 	struct sockaddr_in prefix0, mask0;
 
-	fibnum = rt_add_addr_allfibs ? RT_ALL_FIBS : target->ia_ifp->if_fib;
-
 	/*
 	 * Remove the loopback route to the interface address.
 	 */
@@ -712,6 +710,8 @@ in_scrubprefix(struct in_ifaddr *target,
 		eia = in_localip_more(target);
 
 		if (eia != NULL) {
+			int fibnum = target->ia_ifp->if_fib;
+
 			error = ifa_switch_loopback_route((struct ifaddr *)eia,
 			    (struct sockaddr *)&target->ia_addr, fibnum);
 			ifa_free(&eia->ia_ifa);
@@ -736,6 +736,10 @@ in_scrubprefix(struct in_ifaddr *target,
 	}
 
 	if ((target->ia_flags & IFA_ROUTE) == 0) {
+		int fibnum;
+		
+		fibnum = rt_add_addr_allfibs ? RT_ALL_FIBS :
+			target->ia_ifp->if_fib;
 		rt_addrmsg(RTM_DELETE, &target->ia_ifa, fibnum);
 		return (0);
 	}

Modified: head/tests/sys/netinet/fibs_test.sh
==============================================================================
--- head/tests/sys/netinet/fibs_test.sh	Tue Apr 29 12:52:36 2014	(r265091)
+++ head/tests/sys/netinet/fibs_test.sh	Tue Apr 29 14:46:45 2014	(r265092)
@@ -213,6 +213,45 @@ default_route_with_multiple_fibs_on_same
 }
 
 
+# Regression test for PR kern/189089
+# Create two tap interfaces and assign them both the same IP address but with
+# different netmasks, and both on the default FIB.  Then remove one's IP
+# address.  Hopefully the machine won't panic.
+atf_test_case same_ip_multiple_ifaces_fib0 cleanup
+same_ip_multiple_ifaces_fib0_head()
+{
+	atf_set "descr" "Can remove an IP alias from an interface when the same IP is also assigned to another interface."
+	atf_set "require.user" "root"
+	atf_set "require.config" "fibs"
+}
+same_ip_multiple_ifaces_fib0_body()
+{
+	ADDR="192.0.2.2"
+	MASK0="24"
+	MASK1="32"
+
+	# Unlike most of the tests in this file, this is applicable regardless
+	# of net.add_addr_allfibs
+
+	# Setup the interfaces, then remove one alias.  It should not panic.
+	setup_tap 0 ${ADDR} ${MASK0}
+	TAP0=${TAP}
+	setup_tap 0 ${ADDR} ${MASK1}
+	TAP1=${TAP}
+	ifconfig ${TAP1} -alias ${ADDR}
+
+	# Do it again, in the opposite order.  It should not panic.
+	setup_tap 0 ${ADDR} ${MASK0}
+	TAP0=${TAP}
+	setup_tap 0 ${ADDR} ${MASK1}
+	TAP1=${TAP}
+	ifconfig ${TAP0} -alias ${ADDR}
+}
+same_ip_multiple_ifaces_fib0_cleanup()
+{
+	cleanup_tap
+}
+
 # Regression test for kern/187550
 atf_test_case subnet_route_with_multiple_fibs_on_same_subnet cleanup
 subnet_route_with_multiple_fibs_on_same_subnet_head()
@@ -309,6 +348,7 @@ atf_init_test_cases()
 	atf_add_test_case arpresolve_checks_interface_fib
 	atf_add_test_case loopback_and_network_routes_on_nondefault_fib
 	atf_add_test_case default_route_with_multiple_fibs_on_same_subnet
+	atf_add_test_case same_ip_multiple_ifaces_fib0
 	atf_add_test_case subnet_route_with_multiple_fibs_on_same_subnet
 	atf_add_test_case udp_dontroute
 }
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"

Comment 2 Alan Somers freebsd_committer

2014-04-29 16:07:26 UTC

State Changed
From-To: open->patched

Patched by change 265092

Comment 3 Alan Somers freebsd_committer

2014-04-29 16:07:26 UTC

Responsible Changed
From-To: freebsd-bugs->asomers

Patched by change 265092

Comment 4 commit-hook freebsd_committer

2014-09-18 22:13:12 UTC

A commit references this bug:

Author: asomers
Date: Thu Sep 18 22:12:52 UTC 2014
New revision: 271842
URL: http://svnweb.freebsd.org/changeset/base/271842

Log:
  MFC r265092, except for the ATF bits.

  Fix a panic when removing an IP address from an interface, if the same address
  exists on another interface.  The panic was introduced by change 264887, which
  changed the fibnum parameter in the call to rtalloc1_fib() in
  ifa_switch_loopback_route() from RT_DEFAULT_FIB to RT_ALL_FIBS.  The solution
  is to use the interface fib in that call.  For the majority of users, that will
  be equivalent to the legacy behavior.

  PR:             kern/189089

Changes:
_U  stable/9/
_U  stable/9/sys/
  stable/9/sys/netinet/in.c

Comment 5 Alan Somers freebsd_committer

2014-09-18 23:25:56 UTC

MFCed to stable 9 by r271842 and to stable/10 by 267195.