NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/45764: ifconfig stf0 destroy is unhealthy
The following reply was made to PR kern/45764; it has been noted by GNATS.
From: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: spz%NetBSD.org@localhost, kern-bug-people%netbsd.org@localhost,
gnats-admin%netbsd.org@localhost,
netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/45764: ifconfig stf0 destroy is unhealthy
Date: Sun, 1 Jan 2012 13:05:20 +0000
spz%NetBSD.org@localhost wrote:
> ...
> >Description:
> fatal protection fault in supervisor mode
> trap type 4 code 0 rip ffffffff8017e065 cs 8 rflags 10282 cr2
> 7f7ffd618020 cpl 6 rsp ffff80004f0076c0 kernel: protection fault trap,
> code=0 Stopped in pid 12552.1 (ifconfig) at netbsd:nd6_purge+0xd5:
> cmpb $0x12,0x1(%rax) db{0}> bt
> nd6_purge() at netbsd:nd6_purge+0xd5
> in6_ifdetach() at netbsd:in6_ifdetach+0x21
> in6_purgeif() at netbsd:in6_purgeif+0x25
> udp6_usrreq() at netbsd:udp6_usrreq+0xfd
> udp6_usrreq_wrapper() at netbsd:udp6_usrreq_wrapper+0x51
> if_detach() at netbsd:if_detach+0x2b0
> stf_clone_destroy() at netbsd:stf_clone_destroy+0x4c
> if_clone_destroy() at netbsd:if_clone_destroy+0x44
> ifioctl() at netbsd:ifioctl+0x1a3
> soo_ioctl() at netbsd:soo_ioctl+0x246
> sys_ioctl() at netbsd:sys_ioctl+0x138
> syscall() at netbsd:syscall+0xa0
Assembly fragment in question:
ffffffff8017e05c: 48 8b 47 60 mov 0x60(%rdi),%rax
ffffffff8017e060: 48 85 c0 test %rax,%rax
ffffffff8017e063: 74 db je ffffffff8017e040
<nd6_purge+0xb0>
ffffffff8017e065: 80 78 01 12 cmpb $0x12,0x1(%rax)
ffffffff8017e069: 75 d5 jne ffffffff8017e040
<nd6_purge+0xb0>
The compare instruction seems to be rt->rt_gateway->sa_family == AF_LINK, see:
http://nxr.netbsd.org/xref/src/sys/netinet6/nd6.c?r=1.139#802
It has passed rt->rt_gateway != NULL (test %rax,%rax), which indicates that
rt->rt_gateway pointer contains garbage.
--
Mindaugas
Home |
Main Index |
Thread Index |
Old Index