Date: Mon, 10 Apr 2000 20:58:54 +0200 (CEST) From: Samuel Tardieu <sam@inf.enst.fr> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/17909: Panic when removing a pccard which has a seen an IPv6 router advertisement Message-ID: <20000410185854.1FADE409@antinea.enst.fr>
next in thread | raw e-mail | index | archive | help
>Number: 17909
>Category: kern
>Synopsis: Panic when removing a pccard which has a seen an IPv6 router advertisement
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 10 12:30:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Samuel Tardieu <sam@inf.enst.fr>
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
ENST
>Environment:
-CURRENT from last week on a Compaq Armada V300 laptop. I am located
on an IPv6 enabled network with routers doing advertisement on the
Ethernet (another -CURRENT machine btw).
>Description:
If a PCMCIA card (3C589D, ep0 device) is present in the laptop and
is removed after a router advertisement has been seen on the wire,
the kernel will panic in the next call to nd6_timer. This is due
to the fact that the prefix/router pair is still present with a
reference to the now-unexisting interface.
The panic occurs in in6ifa_ifpwithaddr, called from line 479 of
nd6.c. The prefix structure clearly shows that the prefix/router
pair has not been removed (prefix was 3ffe:403:104:a0::/64):
(gdb) where
#0 in6ifa_ifpwithaddr (ifp=0xc0936a00, addr=0xc09024b8)
at ../../netinet6/in6.c:1339
#1 0xc01db173 in nd6_timer (ignored_arg=0x0) at ../../netinet6/nd6.c:479
#2 0xc0159c65 in softclock () at ../../kern/kern_timeout.c:131
(gdb) fr 1
#1 0xc01db173 in nd6_timer (ignored_arg=0x0) at ../../netinet6/nd6.c:479
(gdb) p *pr
$4 = {ndpr_ifp = 0xc0936a00, ndpr_entry = {le_next = 0x0,
le_prev = 0xc02a697c}, ndpr_prefix = {sin6_len = 28 '\034',
sin6_family = 28 '\034', sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {
__u6_addr = {
__u6_addr8 = "?þ\003\004\001\003\000 \000\000\000\000\000\000\000",
__u6_addr16 = {65087, 1027, 769, 40960, 0, 0, 0, 0}, __u6_addr32 = {
67370559, 2684355329, 0, 0}}}, sin6_scope_id = 0}, ndpr_mask = {
__u6_addr = {__u6_addr8 = "ÿÿÿÿÿÿÿÿ\000\000\000\000\000\000\000",
__u6_addr16 = {65535, 65535, 65535, 65535, 0, 0, 0, 0}, __u6_addr32 = {
4294967295, 4294967295, 0, 0}}}, ndpr_addr = {__u6_addr = {
__u6_addr8 = "?þ\003\004\001\003\000 \002`\bÿþC\177Ô", __u6_addr16 = {
65087, 1027, 769, 40960, 24578, 65288, 17406, 54399}, __u6_addr32 = {
67370559, 2684355329, 4278738946, 3565110270}}},
ndpr_vltime = 4294967295, ndpr_pltime = 4294967295, ndpr_expire = 0,
ndpr_preferred = 0, ndpr_flags = {onlink = 1 '\001', autonomous = 1 '\001',
reserved = 0 '\000'}, ndpr_advrtrs = {lh_first = 0xc09a9e70},
ndpr_plen = 64 '@', ndpr_stateflags = {onlink = 1 '\001'}}
However, the interface is not valid anymore:
(gdb) p *pr->ndpr_ifp
$6 = {if_softc = 0xdeadc0de, if_name = 0xc029e200 "`ä)À°S", if_link = {
tqe_next = 0xdeadc0de, tqe_prev = 0xc09c5000}, if_addrhead = {
tqh_first = 0xdeadc0de, tqh_last = 0xdeadc0de}, if_pcount = -559038242,
if_bpf = 0xdeadc0de, if_index = 49374, if_unit = -8531, if_timer = -16162,
if_flags = -8531, if_ipending = -559038242, if_linkmib = 0xdeadc0de,
if_linkmiblen = 3735929054, if_data = {ifi_type = 222 'Þ',
ifi_physical = 192 'À', ifi_addrlen = 173 '', ifi_hdrlen = 222 'Þ',
ifi_recvquota = 222 'Þ', ifi_xmitquota = 192 'À', ifi_mtu = 3735929054,
ifi_metric = 0, ifi_baudrate = 10000000, ifi_ipackets = 1739,
ifi_ierrors = 0, ifi_opackets = 26, ifi_oerrors = 0, ifi_collisions = 0,
ifi_ibytes = 310488, ifi_obytes = 2035, ifi_imcasts = 1698,
ifi_omcasts = 3, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 0,
ifi_unused = 0, ifi_lastchange = {tv_sec = 955392108, tv_usec = 92647}},
if_multiaddrs = {lh_first = 0xc092fb80}, if_amcount = 0,
if_output = 0xc0193d64 <ether_output>, if_start = 0xc0132fd4 <ep_if_start>,
if_done = 0, if_ioctl = 0xc0133c28 <ep_if_ioctl>,
if_watchdog = 0xc0133d28 <ep_if_watchdog>, if_poll_recv = 0,
if_poll_xmit = 0, if_poll_intren = 0, if_poll_slowinput = 0,
if_init = 0xc0132d94 <ep_if_init>,
if_resolvemulti = 0xc0194900 <ether_resolvemulti>, if_snd = {ifq_head = 0x0,
ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 50, ifq_drops = 0},
if_poll_slowq = 0x0, if_prefixhead = {tqh_first = 0x0,
tqh_last = 0xc0936ad0}}
>How-To-Repeat:
Put an Ethernet card in a laptop on an IPv6 enabled network with
router advertisements, wait for a global address to be assigned,
then remove the card (or suspend the laptop, this should has the same
effect when it resumes as the interface has been brought down when
suspending).
In fact, if you have a way to completely remove an interface, you
should be able to reproduce this without a laptop.
>Fix:
It looks to me that removing the prefix/router associations bound
to an interface when the interface is brought down is the right thing
to do. Those pairs are useless when the interface is down, even
if present.
>Release-Note:
>Audit-Trail:
>Unformatted:
root
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000410185854.1FADE409>