kern/56455: panic in if_get_bylla when if_set_sadl is called

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/56455: panic in if_get_bylla when if_set_sadl is called
From: s-yamaguchi%iij.ad.jp@localhost
Date: Fri, 15 Oct 2021 05:55:00 +0000 (UTC)

>Number:         56455
>Category:       kern
>Synopsis:       panic in if_get_bylla when if_set_sadl is called
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 15 05:55:00 +0000 2021
>Originator:     Shoichi Yamaguchi
>Release:        NetBSD 9.99.91
>Organization:
Internet Initiative Japan Inc.
>Environment:
NetBSD hidden 9.99.91 NetBSD 9.99.91 (GENERIC) #12: Fri Oct 15 09:21:21 JST 2021  hidden/obj/sys/arch/amd64/compile/GENERIC amd64

>Description:
[ 478.9688824] fatal page fault in supervisor mode
[ 478.9796964] trap type 6 code 0 rip 0xffffffff80dfccc3 cs 0x8 rflags 0x10246 cr2 0x5 ilevel 0x5 rsp 0xffffb180af52ce30
[ 478.9902694] curlwp 0xffff9aa6c5205480 pid 0.3 lowest kstack 0xffffb180af5282c0
kernel: page fault trap, code=0
Stopped in pid 0.3 (system) at  netbsd:if_get_bylla+0x60:       movzbl  5(%rax),
%edx
if_get_bylla() at netbsd:if_get_bylla+0x60
in_arpinput() at netbsd:in_arpinput+0xb5
arpintr() at netbsd:arpintr+0x160
softint_dispatch() at netbsd:softint_dispatch+0xf2
DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xffffb180af52d0f0
Xsoftintr() at netbsd:Xsoftintr+0x4f
--- interrupt ---
0:
ds          84
es          74
fs          20
gs          70e0
rdi         ffff9aa5562bc016
rsi         ffff9aa555d08523
rbp         ffffb180af52ce80
rbx         6
rdx         6
rcx         e2
rax         0
r8          0
r9          ffff9aa5574a2808
r10         ffff9aa5562bc00e
r11         dead
r12         ffff9aa5562bc016
r13         6
r14         4
r15         ffff9aa5574a2808
rip         ffffffff80dfccc3    if_get_bylla+0x60
cs          8
rflags      10246
rsp         ffffb180af52ce30
ss          10
netbsd:if_get_bylla+0x60:       movzbl  5(%rax),%edx
db{0}> 

if_deactivate_sadl() called from if_set_sadl stores NULL to ifp->if_sadl,
and if_get_bylla() refers ifp->if_sadl.Both of two are doing without lock
or other exclusive controls. 
Therefore, the panic is appeared when doing commands that changes MAC
address e.g. "ifconfig vlan0 vlan 1 vlanif wm0" and
"ifconfig lagg0 laggport wm0", and receiving ARP frames at the same time.

>How-To-Repeat:
HOST-A% ifconfig wm0 192.168.0.1/24
HOST-A% arping -q -f 192.168.0.254

TARGET% ifconfig wm0 192.168.0.2/24
TARGET% ifconfig vlan0 create
TARGET% while true
do
    ifconfig vlan0 vlan 1 vlanif wm1
    sleep 0.$((RANDOM % 9 + 1))
    ifconfig vlan0 -vlanif
    sleep 0.$((RANDOM % 9 + 1))
done

----
I applied the following patch for the kernel of TARGET to cause the panic easily.

index 130ca14235a..41b5c2dea66 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -520,8 +520,10 @@ if_alloc_sadl(struct ifnet *ifp)
         * now.  This is useful for interfaces that can change
         * link types, and thus switch link names often.
         */
-       if (ifp->if_sadl != NULL)
+       if (ifp->if_sadl != NULL) {
                if_free_sadl(ifp, 0);
+               delay(10000);
+       }
 
        ifa = if_dl_create(ifp, &sdl);
 
>Fix:

Prev by Date: Re: pkg/55931: Lynx-2.8.9rel.1 doesn't work with libcurses in NetBSD-9
Next by Date: Re: kern/55352: access_regs_set_unaligned_pc_0x7 test cases sometimes fail
Previous by Thread: kern/56454: kevent tests crash the kernel if run under compat_netbsd32
Next by Thread: Re: kern/56454 (kevent tests crash the kernel if run under compat_netbsd32)
Indexes:

Home | Main Index | Thread Index | Old Index