Date: Thu, 24 May 2007 13:00:10 +0200 From: "Fredrik Lindberg" <fli@shapeshifter.se> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/112937: Panic in em(4) when issuing a SIOCGIFADDR ioctl Message-ID: <20070524110010.B41CC78C20@mx1.h3q.net> Resent-Message-ID: <200705241130.l4OBU6sk054898@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 112937 >Category: kern >Synopsis: Panic in em(4) when issuing a SIOCGIFADDR ioctl >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu May 24 11:30:05 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Fredrik Lindberg >Release: FreeBSD 7.0-CURRENT i386 >Organization: >Environment: System: FreeBSD genesis 7.0-CURRENT FreeBSD 7.0-CURRENT #16: Sat May 12 15:44:05 CEST 2007 root@genesis:/usr/obj/usr/src/sys/GENESIS i386 >Description: The em-driver will panic if one issues a SIOCGIFADDR ioctl to a em-device with only an inet6 address configured. em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=18b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWCSUM,TSO4> ether 00:11:25:16:db:58 inet6 fe80::211:25ff:fe16:db58%em0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect status: no carrier Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x306d66 fault code = supervisor read, page not present instruction pointer = 0x20:0xc087113b stack pointer = 0x28:0xe63b4b4c frame pointer = 0x28:0xe63b4b7c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1576 (foo) Backtrace #9 0xc06ad62b in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #10 0xc087113b in em_ioctl (ifp=0xc3c01c00, command=3223349537, data=0xc48fcd80 "em0") at /usr/src/sys/modules/em/../../dev/em/if_em.c:977 #11 0xc05e44ff in in6_control (so=0xc46cd318, cmd=3284147200, data=0xc48fcd80 "em0", ifp=0xc3c01c00, td=0xc4227000) at /usr/src/sys/netinet6/in6.c:785 #12 0xc059f258 in ifioctl (so=0xc46cd318, cmd=3223349537, data=0xc48fcd80 "em0", td=0xc4227000) at /usr/src/sys/net/if.c:1874 #13 0xc055ae97 in soo_ioctl (fp=0x306d65, cmd=3223349537, data=0xc48fcd80, active_cred=0xc4265700, td=0xc4227000) at /usr/src/sys/kern/sys_socket.c:202 #14 0xc0555dba in kern_ioctl (td=0xc4227000, fd=3, com=3223349537, data=0xc48fcd80 "em0") at file.h:266 #15 0xc0555bc5 in ioctl (td=0xc4227000, uap=0xe63b4d00) at /usr/src/sys/kern/sys_generic.c:542 The offending line is (kgdb) f 10 #10 0xc087113b in em_ioctl (ifp=0xc3c01c00, command=3223349537, data=0xc48fcd80 "em0") at /usr/src/sys/modules/em/../../dev/em/if_em.c:977 977 if (ifa->ifa_addr->sa_family == AF_INET) { >How-To-Repeat: The following code should trigger the panic, but not if an inet4 address is configured on the interface. #include <string.h> #include <sys/ioctl.h> #include <sys/sockio.h> #include <sys/socket.h> #include <net/if.h> int main(int argc, char *argv[]) { int sock; struct ifreq ifreq; sock = socket(AF_INET6, SOCK_DGRAM, 0); bzero(&ifreq, sizeof(struct ifreq)); strcpy(ifreq.ifr_name, "em0"); ioctl(sock, SIOCGIFADDR, &ifreq); return (0); } >Fix: For SIOCGIFADDR the cast to a struct ifaddr is invalid and will cause ifa_addr to point to a bogous address. I believe it's safe to simply remove SIOCGIFADDR, the intialization shouldn't be needed in this case. --- if_em.c-20070524 begins here --- Index: if_em.c =================================================================== RCS file: /home/ncvs/src/sys/dev/em/if_em.c,v retrieving revision 1.175 diff -u -u -r1.175 if_em.c --- if_em.c 11 May 2007 21:36:08 -0000 1.175 +++ if_em.c 24 May 2007 10:45:36 -0000 @@ -973,7 +973,6 @@ switch (command) { case SIOCSIFADDR: - case SIOCGIFADDR: if (ifa->ifa_addr->sa_family == AF_INET) { /* * XXX --- if_em.c-20070524 ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070524110010.B41CC78C20>