netbsd-bugs: kern/33269: Panic with IPv6 and certain socket options

Subject: kern/33269: Panic with IPv6 and certain socket options
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 04/16/2006 11:10:01
>Number:         33269
>Category:       kern
>Synopsis:       Panic with IPv6 and certain socket options
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr 16 11:10:00 +0000 2006
>Originator:     Christian Biere
>Release:        NetBSD 3.99.15
>Environment:
System: NetBSD cyclonus 3.99.15 NetBSD 3.99.15 (STARSCREAM) #4: Tue Feb 28 17:11:06 CET 2006 bin@cyclonus:/o/NetBSD/obj/sys/arch/i386/compile/STARSCREAM i386
Architecture: i386
Machine: i386
>Description:

panic: m_copydata: m == NULL, len 1701
Begin traceback...
m_copydata(c0aa6100,28,6b0,c9ea7800,a31a) at netbsd:m_copydata+0x89
ip6_pullexthdr(c0aa6100,28,0,29,5) at netbsd:ip6_pullexthdr+0x1be
ip6_savecontrol(c08b1888,c0ab7600,c9e94012,c0aa6100,4) at netbsd:ip6_savecontrol+0xac
udp6_sendup(c0aac000,1c,cb1cbee8,c0fc0240,1500) at netbsd:udp6_sendup+0x8f
udp6_realinput(2,cb1cbee8,cb1cbec8,c0aac000,14) at netbsd:udp6_realinput+0xf5
udp_input(c0aac000,14,11,1,c0962000) at netbsd:udp_input+0x1e4
ip_input(c0aac000,0,0,0,c0100c58) at netbsd:ip_input+0x544
ipintr(dad5001f,d5dc001f,bfbf001f,a87001f,81d40a0) at netbsd:ipintr+0x7e
DDB lost frame for netbsd:Xsoftnet+0x41, trying 0xcb1cbfa8
Xsoftnet() at netbsd:Xsoftnet+0x41
--- interrupt ---
0x3212:
End traceback...
syncing disks... Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006
    The NetBSD Foundation, Inc.  All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
    The Regents of the University of California.  All rights reserved.

NetBSD 3.99.15 (STARSCREAM) #4: Tue Feb 28 17:11:06 CET 2006
	bin@cyclonus:/o/NetBSD/obj/sys/arch/i386/compile/STARSCREAM
total memory = 255 MiB
avail memory = 247 MiB
BIOS32 rev. 0 found at 0xfdae0
mainbus0 (root)
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Duron (686-class), 1394.16 MHz, id 0x681
cpu0: features c1c3fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR>
cpu0: features c1c3fbff<PGE,MCA,CMOV,PAT,PSE36,MMXX,MMX>
cpu0: features c1c3fbff<FXSR,3DNOW2,3DNOW>
cpu0: "AMD Duron(tm) Processor"
cpu0: I-cache 64 KiB 64B/line 2-way, D-cache 64 KiB 64B/line 2-way
cpu0: L2 cache 64 KiB 64B/line 16-way
cpu0: ITLB 16 4 KiB entries fully associative, 8 4 MiB entries fully associative
cpu0: DTLB 32 4 KiB entries fully associative, 8 4 MiB entries 4-way
cpu0: calibrating local timer
cpu0: apic clock running at 265 MHz
cpu0: 8 page colors
ioapic0 at mainbus0 apid 2 (I/O APIC)
ioapic0: pa 0xfec00000, version 11, 24 pins
acpi0 at mainbus0
acpi0: using Intel ACPI CA subsystem version 20050408
acpi0: X/RSDT: OemId <AMIINT,SiS735XX,00001000>, AslId <MSFT,0100000b>
acpi0: SCI interrupting at int 9
acpi0: fixed-feature power button present
ACPI Object Type 'Processor' (0x0c) at acpi0 not configured
PNP0A03 at acpi0 not configured
PNP0200 at acpi0 not configured
attimer0 at acpi0 (PNP0100): AT Timer
attimer0: io 0x40-0x43 irq 0
PNP0B00 at acpi0 not configured
PNP0800 at acpi0 not configured
npx0 at acpi0 (PNP0C04)
npx0: io 0xf0-0xff irq 13
npx0: using exception 16
pckbc0 at acpi0 (PNP0F03): aux port
pckbc0: irq 12
pckbc1 at acpi0 (PNP0303): kbd port
pckbc1: io 0x60,0x64 irq 1
fdc0 at acpi0 (PNP0700)
fdc0: io 0x3f2-0x3f5,0x3f7 irq 6 drq 2
com0 at acpi0 (PNP0501-1)
com0: io 0x3f8-0x3ff irq 4
com0: ns16550a, working fifo
com1 at acpi0 (PNP0501-2)
com1: io 0x2f8-0x2ff irq 3
com1: ns16550a, working fifo
lpt0 at acpi0 (PNP0400)
lpt0: io 0x378-0x37f irq 7
ACPI Object Type 'Power' (0x0b) at acpi0 not configured
ACPI Object Type 'Power' (0x0b) at acpi0 not configured
ACPI Object Type 'Power' (0x0b) at acpi0 not configured
ACPI Object Type 'Power' (0x0b) at acpi0 not configured
PNP0C0F at acpi0 not configured
PNP0C0F at acpi0 not configured
PNP0C0F at acpi0 not configured
acpibut0 at acpi0 (PNP0C0E): ACPI Sleep Button
pckbd0 at pckbc1 (kbd slot)
pckbc1: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pms0 at pckbc1 (aux slot)
pckbc1: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
pchb0 at pci0 dev 0 function 0
pchb0: Silicon Integrated System 735 Host Bridge (rev. 0x01)
agp0 at pchb0: aperture at 0xd0000000, size 0x4000000
ppb0 at pci0 dev 1 function 0: Silicon Integrated System 86C201 (rev. 0x00)
pci1 at ppb0 bus 1
pci1: i/o space, memory space enabled
vga0 at pci1 dev 0 function 0: Matrox MGA G400 AGP (rev. 0x85)
wsdisplay0 at vga0 kbdmux 1: console (80x25, vt100 emulation), using wskbd0
wsmux1: connecting to wsdisplay0
pcib0 at pci0 dev 2 function 0
pcib0: Silicon Integrated System 85C503 or 5597/5598 ISA bridge (rev. 0x00)
ohci0 at pci0 dev 2 function 2: Silicon Integrated System 5597/5598 USB host controller (rev. 0x07)
ohci0: interrupting at ioapic0 pin 19 (irq 11)
ohci0: OHCI version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Silicon Integra OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 3 ports with 3 removable, self powered
ohci1 at pci0 dev 2 function 3: Silicon Integrated System 5597/5598 USB host controller (rev. 0x07)
ohci1: interrupting at ioapic0 pin 23 (irq 10)
ohci1: OHCI version 1.0, legacy support
usb1 at ohci1: USB revision 1.0
uhub1 at usb1
uhub1: Silicon Integra OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 3 ports with 3 removable, self powered
siside0 at pci0 dev 2 function 5
siside0: Silicon Integrated Systems 735 IDE controller (rev. 0xd0)
siside0: bus-master DMA support present
siside0: primary channel wired to compatibility mode
siside0: primary channel interrupting at ioapic0 pin 14 (irq 14)
atabus0 at siside0 channel 0
siside0: secondary channel wired to compatibility mode
siside0: secondary channel interrupting at ioapic0 pin 15 (irq 15)
atabus1 at siside0 channel 1
sip0 at pci0 dev 3 function 0: SiS 900 10/100 Ethernet, rev 0x90
sip0: interrupting at ioapic0 pin 22 (irq 5)
sip0: Ethernet address 00:07:95:a9:a5:7f
ukphy0 at sip0 phy 1: Generic IEEE 802.3u media interface
ukphy0: RTL8201L 10/100 media interface (OUI 0x000004, model 0x0020), rev. 1
ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
cmpci0 at pci0 dev 15 function 0: C-Media Electronics CMI8738/C3DX PCI Audio Device (rev. 0x10)
cmpci0: interrupting at ioapic0 pin 19 (irq 11)
audio0 at cmpci0: full duplex, mmap, independent
opl at cmpci0 not configured
mpu at cmpci0 not configured
isa0 at pcib0
ioapic0: enabling
fd0 at fdc0 drive 0: 1.44MB, 80 cyl, 2 head, 18 sec
wd0 at atabus0 drive 0: <SAMSUNG SV1203N>
wd0: drive supports 16-sector PIO transfers, LBA48 addressing
wd0: 120 GB, 232632 cyl, 16 head, 63 sec, 512 bytes/sect x 234493056 sectors
wd0: 32-bit data port
wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 5 (Ultra/100)
wd0(siside0:0:0): using PIO mode 4, Ultra-DMA mode 5 (Ultra/100) (using DMA)
atapibus0 at atabus1: 2 targets
cd0 at atapibus0 drive 1: <LG CD-RW CED-8080B, 2000/08/17, 1.08> cdrom removable
cd0: 32-bit data port
cd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 2 (Ultra/33)
cd0(siside0:1:1): using PIO mode 4, Ultra-DMA mode 2 (Ultra/33) (using DMA)
boot device: wd0
root on wd0a dumps on wd0b
root file system type: ffs
warning: no /dev/console
wsdisplay0: screen 1 added (80x25, vt100 emulation)
wsdisplay0: screen 2 added (80x25, vt100 emulation)
wsdisplay0: screen 3 added (80x25, vt100 emulation)
wsdisplay0: screen 4 added (80x25, vt100 emulation)
wsdisplay0: screen 5 added (80x25, vt100 emulation)
wsdisplay0: screen 6 added (80x25, vt100 emulation)
wsdisplay0: screen 7 added (80x25, vt100 emulation)

>How-To-Repeat:

$ /sbin/sysctl net.inet6.ip6.v6only
net.inet6.ip6.v6only = 0

I created an IPv6 UDP socket (PF_INET6, SOCK_DGRAM) and set
the following options with setsockopt() to the values as
shown:

IP_TTL = 32
IP_RECVOPTS = 1
IP_RECVRETOPTS = 1
IP_RECVIF = 1
IPV6_PKTINFO = 1
IPV6_HOPLIMIT = 1
IPV6_NEXTHOP = 1
IPV6_HOPOPTS = 1
IPV6_DSTOPTS = 1
IPV6_RTHDR = 1
IPV6_PKTOPTIONS = 1
IPV6_CHECKSUM = 1
IPV6_FAITH = 1
IPV6_USE_MIN_MTU = 1

This was just an experiment with socket options. The machine
crashed with a panic just a second later which was seemingly
caused by an incoming or outgoing packet.

>Fix: