kern/50522: gif(4) ioctl causes panic while someone is using the gif(4) interface.

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/50522: gif(4) ioctl causes panic while someone is using the gif(4) interface.
From: k-nakahara%iij.ad.jp@localhost
Date: Fri, 11 Dec 2015 07:50:00 +0000 (UTC)

>Number:         50522
>Category:       kern
>Synopsis:       gif(4) ioctl causes panic while someone is using the gif(4) interface.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Dec 11 07:50:00 +0000 2015
>Originator:     Kengo NAKAHARA
>Release:        7.99.24
>Organization:
>Environment:
NetBSD 7.99.24 (GENERIC)
>Description:
While someone transmits and receive over gif0, "ifconfig gif0 tunnel other_src
other_dst" and "ifconfig gif0 deletetunnel" would cause panic.

Here is the backtrace.
====================
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff808d4494 cs 8 rflags 10202 cr2 4 ilevel 4 rsp fffffe810e8d8da8
curlwp 0xfffffe827f72a420 pid 0.3 lowest kstack 0xfffffe810e8d52c0
kernel: page fault trap, code=0
Stopped in pid 0.3 (system) at  netbsd:in_gif_input+0xb4:       cmpl    %esi,4(%
rax)
in_gif_input() at netbsd:in_gif_input+0xb4
encap4_input() at netbsd:encap4_input+0x187
ipintr() at netbsd:ipintr+0x8d0
softint_dispatch() at netbsd:softint_dispatch+0xd3
====================
>How-To-Repeat:
(1) setup gif the tested NetBSD machine and the peer machine

(2) do "ping -f" over gif(4) from the peer machine

(3) repeat "ifconfig tunnel" and "ifconfig deletetunnel" on the tested NetBSD
    machine, such as the following code
====================
#!/bin/sh

cat > test_gif_load.sh <<-EOF
ifconfig gif0 tunnel 192.168.0.250 192.168.0.18 &
ifconfig gif0 tunnel 192.168.0.250 192.168.0.18 &
ifconfig gif0 deletetunnel & 
ifconfig gif0 tunnel 192.168.0.250 192.168.0.18 &
ifconfig gif0 tunnel 192.168.0.250 192.168.0.18 &
ifconfig gif0 deletetunnel & 
EOF

while true; do echo hogs >/dev/null; done &
while true; do sh test_gif_load.sh ; done
====================

(4) wait a minute, it causes panic


# I think a single CPU machine does not panic by this, maybe.
>Fix:
I fix this bug soon.

Prev by Date: port-sparc/50516: src/sys/arch/sparc/sparc/trap.c:1255: bad switch case ?
Next by Date: PR/50516 CVS commit: src/sys/arch/i386/stand/lib
Previous by Thread: port-i386/50515: src/sys/arch/i386/stand/lib/dosfile.c:63: bad switch statement ?
Next by Thread: PR/50516 CVS commit: src/sys/arch/i386/stand/lib
Indexes:

Home | Main Index | Thread Index | Old Index