NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/56455: panic in if_get_bylla when if_set_sadl is called

>Number:         56455
>Category:       kern
>Synopsis:       panic in if_get_bylla when if_set_sadl is called
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 15 05:55:00 +0000 2021
>Originator:     Shoichi Yamaguchi
>Release:        NetBSD 9.99.91
Internet Initiative Japan Inc.
NetBSD hidden 9.99.91 NetBSD 9.99.91 (GENERIC) #12: Fri Oct 15 09:21:21 JST 2021  hidden/obj/sys/arch/amd64/compile/GENERIC amd64

[ 478.9688824] fatal page fault in supervisor mode
[ 478.9796964] trap type 6 code 0 rip 0xffffffff80dfccc3 cs 0x8 rflags 0x10246 cr2 0x5 ilevel 0x5 rsp 0xffffb180af52ce30
[ 478.9902694] curlwp 0xffff9aa6c5205480 pid 0.3 lowest kstack 0xffffb180af5282c0
kernel: page fault trap, code=0
Stopped in pid 0.3 (system) at  netbsd:if_get_bylla+0x60:       movzbl  5(%rax),
if_get_bylla() at netbsd:if_get_bylla+0x60
in_arpinput() at netbsd:in_arpinput+0xb5
arpintr() at netbsd:arpintr+0x160
softint_dispatch() at netbsd:softint_dispatch+0xf2
DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xffffb180af52d0f0
Xsoftintr() at netbsd:Xsoftintr+0x4f
--- interrupt ---
ds          84
es          74
fs          20
gs          70e0
rdi         ffff9aa5562bc016
rsi         ffff9aa555d08523
rbp         ffffb180af52ce80
rbx         6
rdx         6
rcx         e2
rax         0
r8          0
r9          ffff9aa5574a2808
r10         ffff9aa5562bc00e
r11         dead
r12         ffff9aa5562bc016
r13         6
r14         4
r15         ffff9aa5574a2808
rip         ffffffff80dfccc3    if_get_bylla+0x60
cs          8
rflags      10246
rsp         ffffb180af52ce30
ss          10
netbsd:if_get_bylla+0x60:       movzbl  5(%rax),%edx

if_deactivate_sadl() called from if_set_sadl stores NULL to ifp->if_sadl,
and if_get_bylla() refers ifp->if_sadl.Both of two are doing without lock
or other exclusive controls. 
Therefore, the panic is appeared when doing commands that changes MAC
address e.g. "ifconfig vlan0 vlan 1 vlanif wm0" and
"ifconfig lagg0 laggport wm0", and receiving ARP frames at the same time.

HOST-A% ifconfig wm0
HOST-A% arping -q -f

TARGET% ifconfig wm0
TARGET% ifconfig vlan0 create
TARGET% while true
    ifconfig vlan0 vlan 1 vlanif wm1
    sleep 0.$((RANDOM % 9 + 1))
    ifconfig vlan0 -vlanif
    sleep 0.$((RANDOM % 9 + 1))

I applied the following patch for the kernel of TARGET to cause the panic easily.

index 130ca14235a..41b5c2dea66 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -520,8 +520,10 @@ if_alloc_sadl(struct ifnet *ifp)
         * now.  This is useful for interfaces that can change
         * link types, and thus switch link names often.
-       if (ifp->if_sadl != NULL)
+       if (ifp->if_sadl != NULL) {
                if_free_sadl(ifp, 0);
+               delay(10000);
+       }
        ifa = if_dl_create(ifp, &sdl);

Home | Main Index | Thread Index | Old Index