(analysis) Re: ipv6 causing panic?
:I've updated to the latest current sources, and when I bring up
:my default ipv6 route I get a panic a few seconds later. Kernel
:and crash dump can be found at:
:
: http://www.theshell.com/~pavalos/crash/
:
:...
:
:Peter
It looks like it is IPV6 related. It crashed somewhere in
in6ifa_ifpwithaddr().
Peter, On January 19th I did make a commit which synchronized the
use of the interface pointer with consumers when an ifp is freed.
Synchronize your sources and make doubly sure that your kernel has
those fixes:
1.25 +7 -2 src/sys/net/if.c
1.23 +78 -3 src/sys/net/netisr.c
1.21 +2 -1 src/sys/net/netisr.h
1.30 +2 -2 src/sys/netinet/ip_demux.c
From what I can tell, the packet's interface pointer is pointing
to memory which is no longer an interface structure. It's possible
that my fixes aren't sufficient for IPV6. Hmm. or for packet fragment
processing either, since a message may bounce around more then one
thread. But I am a bit at a loss as to why the interface pointer is
bad because you weren't bringing down an interface at the time of the
crash (were you?)
/*
* find the internet address corresponding to a given interface and address.
*/
struct in6_ifaddr *
in6ifa_ifpwithaddr(struct ifnet *ifp, struct in6_addr *addr)
{
struct ifaddr *ifa;
TAILQ_FOREACH(ifa, &ifp->if_addrlist, ifa_list)
{
if (ifa->ifa_addr == NULL) <<<<<<<< CRASHED HERE
continue; /* just for safety */
if (ifa->ifa_addr->sa_family != AF_INET6)
continue;
if (IN6_ARE_ADDR_EQUAL(addr, IFA_IN6(ifa)))
break;
}
return((struct in6_ifaddr *)ifa);
}
The ifa pointer is bogus, it is 0x6e62696c which are obviously ascii
characters and not a pointer.
The sequence is:
ip6_input() -> icmp6_input() -> nd6_na_input() -> in6ifa_ifpwithaddr()
It looks to me like m->m_pkthdr.rcvif is bad.
(kgdb) print $5
$8 = (struct mbuf *) 0xd5ea9200
(kgdb) print *$5
$15 = {
m_hdr = {
mh_next = 0x0,
mh_nextpkt = 0x0,
mh_data = 0xc3756824 "`",
mh_len = 0x40,
mh_type = 0x1,
mh_flags = 0x4003 <<< M_EXT, M_PKTHDR, M_EXT_CLUSTER
},
M_dat = {
MH = {
MH_pkthdr = {
rcvif = 0xc37a4fac, <<< rcvif pointer looks ok
len = 0x40, <<< header length looks ok
tags = {
slh_first = 0xc3845180
},
header = 0x0,
csum_flags = 0x300,
csum_data = 0x10,
pf_flags = 0x0,
pf_tag = 0x0,
pf_routed = 0x0,
pf_unused01 = 0x0
},
MH_dat = {
MH_ext = {
ext_buf = 0xc3756800 "",
ext_nfree = {
old = 0xc0195898 <m_mclfree>,
new = 0xc0195898 <m_mclfree>,
any = 0xc0195898
},
ext_size = 0x800,
ext_nref = {
old = 0xc0195940 <m_mclref>,
new = 0xc0195940 <m_mclref>,
any = 0xc0195940
},
ext_arg = 0xc37a1340
},
...
(kgdb) print *$5->M_dat.MH.MH_pkthdr.rcvif
$14 = {
if_softc = 0xde664800, <<<< ALL BOGUS
if_link = {
tqe_next = 0x6362696c, <<<< ALL BOGUS
tqe_prev = 0x2e6f732e <<<< ALL BOGUS
},
if_xname = "4\000le.so\000libm.so.",
if_dname = 0x32---Can't read userspace from dump, or kernel process---
-Matt
Matthew Dillon
<dillon@backplane.com>
討論串 (同標題文章)
完整討論串 (本文為第 1 之 8 篇):