From nobody@FreeBSD.org  Sun Jun  8 03:04:44 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2C3681065676
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  8 Jun 2008 03:04:44 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 2BB188FC19
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  8 Jun 2008 03:04:44 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m5834hbf094285
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 8 Jun 2008 03:04:43 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m5834hnD094284;
	Sun, 8 Jun 2008 03:04:43 GMT
	(envelope-from nobody)
Message-Id: <200806080304.m5834hnD094284@www.freebsd.org>
Date: Sun, 8 Jun 2008 03:04:43 GMT
From: Scott Ullrich <sullrich@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Destroying a CARP interface can lead to kernel panic
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         124384
>Category:       kern
>Synopsis:       [carp] [panic] Destroying a CARP interface can lead to kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gonzo
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 08 03:10:02 UTC 2008
>Closed-Date:    Sat Jul 19 13:25:51 UTC 2008
>Last-Modified:  Sat Jul 19 13:25:51 UTC 2008
>Originator:     Scott Ullrich
>Release:        7.0-RELEASE
>Organization:
pfSense
>Environment:
FreeBSD gate1.geekgod.com 7.0-RELEASE-p1 FreeBSD 7.0-RELEASE-p1 #0: Mon Jun  2 22:51:51 EDT 2008     sullrich@builder7.bgn.pfsense.org:/usr/obj.pfSense/usr/src/sys/pfSense.7  i386

>Description:
Destoring a CARP interface can lead to system panics.  This was also an issue on 6.3-RELEASE.
>How-To-Repeat:
Run this shell script:

#!/bin/sh

# Configure 192.168.1.1/24 on a real interface first!

while [ /bin/true ]; do
     ifconfig carp0 create
     ifconfig carp1 create
     ifconfig carp0 192.168.1.24/22
     ifconfig carp1 192.168.1.25/24
     ifconfig carp0 up
     ifconfig carp0 destroy
     ifconfig carp0 delete
     ifconfig carp1 destroy
done
>Fix:
None known at this time.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->gonzo 
Responsible-Changed-By: gonzo 
Responsible-Changed-When: Mon Jun 9 17:24:48 UTC 2008 
Responsible-Changed-Why:  
Got some time, interest and inspiration for this PR 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124384 

From: Stephan Eisvogel <eisvogel@seitics.de>
To: bug-followup@FreeBSD.org, sullrich@gmail.com
Cc:  
Subject: Re: kern/124384: [carp] [panic] Destroying a CARP interface can lead to kernel panic
Date: Fri, 20 Jun 2008 00:00:16 +0200

 I can confirm this bug, see backtrace below. This is 7-STABLE as of
 today with latest carpdev patch from Max Laier.
 
 
 # kgdb kernel.debug /var/crash/vmcore.0
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd"...
 
 Unread portion of the kernel message buffer:
 
 cpuid = 0; apic id = 00
 fault virtual address   = 0x5f
 fault code              = supervisor read, page not present
 instruction pointer     = 0x20:0xc08f3aa6
 stack pointer           = 0x28:0xd6287b80
 frame pointer           = 0x28:0xd6287bc4
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 1680 (ifconfig)
 panic: from debugger
 cpuid = 0
 KDB: stack backtrace:
 Uptime: 12m24s
 Physical memory: 499 MB
 Dumping 46 MB: 31 15
 
 Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done.
 done.
 Loaded symbols for /boot/kernel/acpi.ko
 #0  doadump () at pcpu.h:195
 195             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) list *0xc08f3aa6
 0xc08f3aa6 is in in_control (/home/build/src/sys/netinet/in.c:253).
 248              * the first one on the interface, if possible.
 249              */
 250             if (ifp) {
 251                     dst = ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr;
 252                     LIST_FOREACH(iap, INADDR_HASH(dst.s_addr), ia_hash)
 253                             if (iap->ia_ifp == ifp &&
 254                                 iap->ia_addr.sin_addr.s_addr == dst.s_addr) {
 255                                     ia = iap;
 256                                     break;
 257                             }
 (kgdb) backtrace
 #0  doadump () at pcpu.h:195
 #1  0xc07cd45d in boot (howto=260) at /home/build/src/sys/kern/kern_shutdown.c:418
 #2  0xc07cd70b in panic (fmt=Variable "fmt" is not available.
 ) at /home/build/src/sys/kern/kern_shutdown.c:572
 #3  0xc050fee2 in db_panic (addr=Could not find the frame base for "db_panic".
 ) at /home/build/src/sys/ddb/db_command.c:446
 #4  0xc05105ce in db_command (last_cmdp=0xc0c85814, cmd_table=0x0, dopager=1) at /home/build/src/sys/ddb/db_command.c:413
 #5  0xc05106d9 in db_command_loop () at /home/build/src/sys/ddb/db_command.c:466
 #6  0xc0511eeb in db_trap (type=12, code=0) at /home/build/src/sys/ddb/db_main.c:228
 #7  0xc07f2701 in kdb_trap (type=12, code=0, tf=0xd6287b40) at /home/build/src/sys/kern/subr_kdb.c:524
 #8  0xc0ac6233 in trap_fatal (frame=0xd6287b40, eva=95) at /home/build/src/sys/i386/i386/trap.c:890
 #9  0xc0ac6490 in trap_pfault (frame=0xd6287b40, usermode=0, eva=95) at /home/build/src/sys/i386/i386/trap.c:812
 #10 0xc0ac6d75 in trap (frame=0xd6287b40) at /home/build/src/sys/i386/i386/trap.c:490
 #11 0xc0aaeacb in calltrap () at /home/build/src/sys/i386/i386/exception.s:139
 #12 0xc08f3aa6 in in_control (so=0xc318fad4, cmd=2151704858, data=0xc3345a80 "carp1", ifp=0xc2ef1c00, td=0xc3115cc0)
     at /home/build/src/sys/netinet/in.c:252
 #13 0xc08583d8 in ifioctl (so=0xc318fad4, cmd=2151704858, data=0xc3345a80 "carp1", td=0xc3115cc0)
     at /home/build/src/sys/net/if.c:1885
 #14 0xc0804808 in soo_ioctl (fp=0xc3109240, cmd=2151704858, data=0xc3345a80, active_cred=0xc31a4100, td=0xc3115cc0)
     at /home/build/src/sys/kern/sys_socket.c:191
 #15 0xc07fe8b3 in kern_ioctl (td=0xc3115cc0, fd=3, com=2151704858, data=0xc3345a80 "carp1") at file.h:266
 #16 0xc07fe9d5 in ioctl (td=0xc3115cc0, uap=0xd6287cfc) at /home/build/src/sys/kern/sys_generic.c:570
 #17 0xc0ac676e in syscall (frame=0xd6287d38) at /home/build/src/sys/i386/i386/trap.c:1035
 #18 0xc0aaeb30 in Xint0x80_syscall () at /home/build/src/sys/i386/i386/exception.s:196
 #19 0x00000033 in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 (kgdb)
 
 
State-Changed-From-To: open->analyzed 
State-Changed-By: gonzo 
State-Changed-When: Fri Jun 20 11:09:16 UTC 2008 
State-Changed-Why:  
Analyzed, patch will be available soon. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124384 

From: Oleksandr Tymoshenko <gonzo@univ.kiev.ua>
To: Stephan Eisvogel <eisvogel@seitics.de>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/124384: [carp] [panic] Destroying a CARP interface can lead to kernel panic
Date: Fri, 20 Jun 2008 13:37:49 +0300

 --y0ulUmNC+osPPQO6
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Stephan Eisvogel (eisvogel@seitics.de) wrote:
 >  I can confirm this bug, see backtrace below. This is 7-STABLE as of
 >  today with latest carpdev patch from Max Laier.
         Try the patch attached. 
 
 -- 
 gonzo
 
 --y0ulUmNC+osPPQO6
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="in.diff"
 
 === sys/netinet/in.c
 ==================================================================
 --- sys/netinet/in.c	(revision 179883)
 +++ sys/netinet/in.c	(local)
 @@ -734,6 +734,13 @@
  			if (ia->ia_addr.sin_family == AF_INET)
  				LIST_INSERT_HEAD(INADDR_HASH(
  				    ia->ia_addr.sin_addr.s_addr), ia, ia_hash);
 +			else 
 +				/* 
 +				 * If oldaddr family is not AF_INET in_control 
 +				 * does not call LIST_REMOVE, and we end up 
 +				 * with bogus ia entries in hash
 +				 */
 +				LIST_REMOVE(ia, ia_hash);
  			return (error);
  		}
  	}
 
 --y0ulUmNC+osPPQO6--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/124384: commit references a PR
Date: Tue, 24 Jun 2008 13:58:48 +0000 (UTC)

 gonzo       2008-06-24 13:58:28 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/netinet          in.c 
   Log:
   SVN rev 179971 on 2008-06-24 13:58:28Z by gonzo
   
   In case of interface initialization failure remove struct in_ifaddr* from
   in_ifaddrhashtbl in in_ifinit because error handler in in_control removes
   entries only for AF_INET addresses. If in_ifinit is called for the cloned
   inteface that has just been created its address family is not AF_INET and
   therefor LIST_REMOVE is not called for respective LIST_INSERT_HEAD and
   freed entries remain in in_ifaddrhashtbl and lead to memory corruption.
   
   PR:     kern/124384
   
   Revision  Changes    Path
   1.104     +8 -0      src/sys/netinet/in.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: analyzed->patched 
State-Changed-By: gonzo 
State-Changed-When: Tue Jun 24 14:00:36 UTC 2008 
State-Changed-Why:  
Patch committed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124384 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/124384: commit references a PR
Date: Sat, 19 Jul 2008 12:12:42 +0000 (UTC)

 gonzo       2008-07-19 12:12:17 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_7)
     sys/netinet          in.c 
   Log:
   SVN rev 180609 on 2008-07-19 12:12:17Z by gonzo
   
   MFC r179971:
   In case of interface initialization failure remove struct in_ifaddr* from
   in_ifaddrhashtbl in in_ifinit because error handler in in_control removes
   entries only for AF_INET addresses. If in_ifinit is called for the cloned
   inteface that has just been created its address family is not AF_INET and
   therefor LIST_REMOVE is not called for respective LIST_INSERT_HEAD and
   freed entries remain in in_ifaddrhashtbl and lead to memory corruption.
   
   PR:             kern/124384
   MFC after:      3 weeks
   
   Revision   Changes    Path
   1.102.2.2  +8 -0      src/sys/netinet/in.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/124384: commit references a PR
Date: Sat, 19 Jul 2008 13:16:17 +0000 (UTC)

 gonzo       2008-07-19 13:15:51 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     sys/netinet          in.c 
   Log:
   SVN rev 180611 on 2008-07-19 13:15:51Z by gonzo
   
   MFC r179971:
   In case of interface initialization failure remove struct in_ifaddr* from
   in_ifaddrhashtbl in in_ifinit because error handler in in_control removes
   entries only for AF_INET addresses. If in_ifinit is called for the cloned
   inteface that has just been created its address family is not AF_INET and
   therefor LIST_REMOVE is not called for respective LIST_INSERT_HEAD and
   freed entries remain in in_ifaddrhashtbl and lead to memory corruption.
   
   PR:             kern/124384
   MFC after:      3 weeks
   
   Revision   Changes    Path
   1.85.2.11  +8 -0      src/sys/netinet/in.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: gonzo 
State-Changed-When: Sat Jul 19 13:25:33 UTC 2008 
State-Changed-Why:  
Fix has been MFCed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=124384 
>Unformatted:
