NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/51467 detaching USB network interface panics



The following reply was made to PR kern/51467; it has been noted by GNATS.

From: Ryota Ozaki <ozaki-r%netbsd.org@localhost>
To: Michael van Elst <mlelstv%serpens.de@localhost>
Cc: "gnats-bugs%NetBSD.org@localhost" <gnats-bugs%netbsd.org@localhost>, kern-bug-people%netbsd.org@localhost, 
	gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/51467 detaching USB network interface panics
Date: Mon, 28 Nov 2016 18:12:58 +0900

 On Sun, Nov 27, 2016 at 6:50 PM, Michael van Elst <mlelstv%serpens.de@localhost> wrote:
 > The following reply was made to PR kern/51467; it has been noted by GNATS.
 >
 > From: Michael van Elst <mlelstv%serpens.de@localhost>
 > To: gnats-bugs%netbsd.org@localhost
 > Cc:
 > Subject: Re: kern/51467 detaching USB network interface panics
 > Date: Sun, 27 Nov 2016 10:45:27 +0100
 >
 >  nd6_purge() contains a hack:
 >
 >                          /*
 >                           * Because if_detach() does *not* release prefixes
 >                           * while purging addresses the reference count will
 >                           * still be above zero. We therefore reset it to
 >                           * make sure that the prefix really gets purged.
 >                           */
 >                          pr->ndpr_refcnt = 0;
 >
 >  followed by a call to prelist_remove(pr). This will free the prefix list
 >  although it is still referenced by the interface.
 >
 >  It will also finally call pfxlist_onlink_check().
 >
 >          /*
 >           * Changes on the prefix status might affect address status as well.
 >           * Make sure that all addresses derived from an attached prefix are
 >           * attached, and that all addresses derived from a detached prefix are
 >           * detached.  Note, however, that a manually configured address should
 >           * always be attached.
 >           * The precise detection logic is same as the one for prefixes.
 >           */
 >
 >  Here pfxlist_onlink_check uses the stale ia->ia6_ndpr reference
 >  when calling find_pfxlist_reachable_router().
 >
 >  If the kernel is compiled with DEBUG (implies KMEM_POISON), this
 >  leads to an immediate crash.
 
 Thank you for the investigation. I can reproduce it now on an ATF test (t_ra)
 by enabling KMEM_POISON by hand (it's never enabled on rump kernels).
 
 The following patch fixes the panic. It restores the original behavior
 of in6_purgeif changed by in6.c,v 1.203 and in6_ifattach.c,v 1.99.
 
 Thanks,
   ozaki-r
 
 diff --git a/sys/netinet6/in6_ifattach.c b/sys/netinet6/in6_ifattach.c
 index 2065d18..0eb8ddb 100644
 --- a/sys/netinet6/in6_ifattach.c
 +++ b/sys/netinet6/in6_ifattach.c
 @@ -809,15 +809,15 @@ void
  in6_ifdetach(struct ifnet *ifp)
  {
 
 +       /* nuke any of IPv6 addresses we have */
 +       if_purgeaddrs(ifp, AF_INET6, in6_purgeaddr);
 +
         /* remove ip6_mrouter stuff */
         ip6_mrouter_detach(ifp);
 
         /* remove neighbor management table */
         nd6_purge(ifp, NULL);
 
 -       /* nuke any of IPv6 addresses we have */
 -       if_purgeaddrs(ifp, AF_INET6, in6_purgeaddr);
 -
         /* cleanup multicast address kludge table, if there is any */
         in6_purgemkludge(ifp);
 


Home | Main Index | Thread Index | Old Index