kern/47576: deleting interface that does not have ipv6 link-local address causes kernel panic

[Takahiro HAYASHI <t-hash%abox3.so-net.ne.jp@localhost>]

>Number:         47576
>Category:       kern
>Synopsis:       deleting interface that does not have ipv6 link-local address 
>causes kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 18 13:15:00 +0000 2013
>Originator:     Takahiro HAYASHI
>Release:        NetBSD 6.99.16
>Organization:
>Environment:
System: NetBSD ruin 6.99.16 NetBSD 6.99.16 (MONOLITHIC) #0: Wed Feb 13 13:56:34 
UTC 2013 
builds%b7.netbsd.org@localhost:/home/builds/ab/HEAD/i386/201302130710Z-obj/home/builds/ab/HEAD/src/sys/arch/i386/compile/MONOLITHIC
 i386
Architecture: i386
Machine: i386
>Description:
        Deleting interface that does not have ipv6 link-local address
        causes kernel panic.
        Unplug'ing USB ethernet adapter that does not have ipv6
        link-local address also causes panic.

# ifconfig tap0 create up
# ifconfig tap0
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ec_capabilities=5<VLAN_MTU,JUMBO_MTU>
        ec_enabled=0
        address: f2:0b:a4:4c:05:7e
        media: Ethernet autoselect
        inet6 fe80::f00b:a4ff:fe4c:57e%tap0 prefixlen 64 scopeid 0x4
# ifconfig tap0 inet6 `ifconfig tap0|grep fe80|awk '{print $2}'` delete
# ifconfig tap0
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ec_capabilities=5<VLAN_MTU,JUMBO_MTU>
        ec_enabled=0
        address: f2:0b:a4:4c:05:7e
        media: Ethernet autoselect
# ifconfig tap0 destroy
uvm_fault(0xc1fc9eec, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c06457fc cs 8 eflags 10246 cr2 10 ilevel 6 esp 4
curlwp 0xc1fb9560 pid 402 lid 1 lowest kstack 0xd87b3000
kernel: supervisor trap page fault, code=0
Stopped in pid 402.1 (ifconfig) at      netbsd:prelist_remove+0xd2:     movl    
1
0(%esi),%edx
db{0}> bt
prelist_remove(c1c9f084,d87b5900,c1c49320,d87b586c,c04d0629,c1c49320,c1c49320,c0
766c70,c1c49320,c1c49320) at netbsd:prelist_remove+0xd2
nd6_purge(c1c49320,c1c49320,c0766c70,c1c49320,c1c49320,0,d87b586c,c04cbce0,c1c49
320,d87b5900) at netbsd:nd6_purge+0x105
in6_ifdetach(c1c49320,c1c49320,c04cea91,c0ce02a0,ffffffff,c1ee27a0,c1fb9560,1,c1
fb9560,c1c49320) at netbsd:in6_ifdetach+0x1c
udp6_usrreq(d87b5900,16,0,0,c1c49320,c1fb9560,c1c49320,d87b5a60,c03b1c89,d87b590
0) at netbsd:udp6_usrreq+0x275
udp6_usrreq_wrapper(d87b5900,16,0,0,c1c49320,c1fb9560,d87b5900,0,0,0) at netbsd:
udp6_usrreq_wrapper+0x41
if_detach(c1c49320,4,12,455,0,ffffffff,0,c0c749a0,c1b8f040,c0cdf820) at netbsd:i
f_detach+0x203
tap_detach(c1b8f040,0,c0bb1bc5,d87b5ad4,c03b0010,c1c0e000,c0bb1bc1,3,c1c49320,c1
c0e000) at netbsd:tap_detach+0xc3
config_detach(c1b8f040,0,80906979,0,c1c49320,d87b5bd4,c03b2c06,c1b8f040,4,14) at
 netbsd:config_detach+0xc4
tap_clone_destroyer(c1b8f040,4,14,c1c49320,80906979,0,0,c1fb9560,c1b87618,c1c0e0
00) at netbsd:tap_clone_destroyer+0x26
ifioctl(c1fd17cc,80906979,c1c0e000,c1fb9560,0,c1022980,d87b5c24,80906979,d87b5d0
0,c1c2b440) at netbsd:ifioctl+0x430
soo_ioctl(c1c2b440,80906979,c1c0e000,c1feae1c,c1feae40,c1fead80,d87b5c48,c055dd7
d,90,c1fead80) at netbsd:soo_ioctl+0x2c5
sys_ioctl(c1fb9560,d87b5d00,d87b5d28,c1fc9eec,0,36,c1ca21b4,d87b5d00,3,80906979)
 at netbsd:sys_ioctl+0x1b2
syscall() at netbsd:syscall+0x89
--- syscall (number 54) ---
bbb3ef27:
db{0}> 

>How-To-Repeat:
        Type following commands.

        ifconfig tap0 create up
        ifconfig tap0 inet6 `ifconfig tap0|grep fe80|awk '{print $2}'` delete
        ifconfig tap0 destroy
>Fix:
        Not known.
        You can avoid panic by adding ipv6 link-local address before
        you delete the interface.

--
t-hash