Re: kern/45764: ifconfig stf0 destroy is unhealthy

[Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>]

spz%NetBSD.org@localhost wrote:
> ...
> >Description:
>       fatal protection fault in supervisor mode
>       trap type 4 code 0 rip ffffffff8017e065 cs 8 rflags 10282 cr2
> 7f7ffd618020 cpl 6 rsp ffff80004f0076c0 kernel: protection fault trap,
> code=0 Stopped in pid 12552.1 (ifconfig) at    netbsd:nd6_purge+0xd5:
> cmpb    $0x12,0x1(%rax) db{0}> bt
>       nd6_purge() at netbsd:nd6_purge+0xd5
>       in6_ifdetach() at netbsd:in6_ifdetach+0x21
>       in6_purgeif() at netbsd:in6_purgeif+0x25
>       udp6_usrreq() at netbsd:udp6_usrreq+0xfd
>       udp6_usrreq_wrapper() at netbsd:udp6_usrreq_wrapper+0x51
>       if_detach() at netbsd:if_detach+0x2b0
>       stf_clone_destroy() at netbsd:stf_clone_destroy+0x4c
>       if_clone_destroy() at netbsd:if_clone_destroy+0x44
>       ifioctl() at netbsd:ifioctl+0x1a3
>       soo_ioctl() at netbsd:soo_ioctl+0x246
>       sys_ioctl() at netbsd:sys_ioctl+0x138
>       syscall() at netbsd:syscall+0xa0

Assembly fragment in question:                                                  
                

ffffffff8017e05c:       48 8b 47 60             mov    0x60(%rdi),%rax
ffffffff8017e060:       48 85 c0                test   %rax,%rax
ffffffff8017e063:       74 db                   je     ffffffff8017e040 
<nd6_purge+0xb0>
ffffffff8017e065:       80 78 01 12             cmpb   $0x12,0x1(%rax)
ffffffff8017e069:       75 d5                   jne    ffffffff8017e040 
<nd6_purge+0xb0>

The compare instruction seems to be rt->rt_gateway->sa_family == AF_LINK, see:

http://nxr.netbsd.org/xref/src/sys/netinet6/nd6.c?r=1.139#802

It has passed rt->rt_gateway != NULL (test %rax,%rax), which indicates that
rt->rt_gateway pointer contains garbage.

-- 
Mindaugas