From ingo.rohlfs@uni-tuebingen.de  Fri Feb  3 15:42:59 2006
Return-Path: <ingo.rohlfs@uni-tuebingen.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CCA2B16A420
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  3 Feb 2006 15:42:59 +0000 (GMT)
	(envelope-from ingo.rohlfs@uni-tuebingen.de)
Received: from mx01.uni-tuebingen.de (mx01.uni-tuebingen.de [134.2.3.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2CAC243D45
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  3 Feb 2006 15:42:56 +0000 (GMT)
	(envelope-from ingo.rohlfs@uni-tuebingen.de)
Received: from mh228.ub.uni-tuebingen.de (mh228.ub.uni-tuebingen.de [134.2.65.228])
	by mx01.uni-tuebingen.de (8.12.3/8.12.3) with ESMTP id k13FgqdI012188
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 3 Feb 2006 16:42:52 +0100
Received: from mh228.ub.uni-tuebingen.de (localhost.ub.uni-tuebingen.de [127.0.0.1])
	by mh228.ub.uni-tuebingen.de (8.13.4/8.13.4) with ESMTP id k13FgqkO005312
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 3 Feb 2006 16:42:52 +0100 (CET)
	(envelope-from ingo@mh228.ub.uni-tuebingen.de)
Received: (from ingo@localhost)
	by mh228.ub.uni-tuebingen.de (8.13.4/8.13.4/Submit) id k13FgplF005311;
	Fri, 3 Feb 2006 16:42:51 +0100 (CET)
	(envelope-from ingo)
Message-Id: <200602031542.k13FgplF005311@mh228.ub.uni-tuebingen.de>
Date: Fri, 3 Feb 2006 16:42:51 +0100 (CET)
From: Ingo Rohlfs <ingo.rohlfs@uni-tuebingen.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: kernel-crash using carp
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         92776
>Category:       kern
>Synopsis:       [carp] kernel-crash using carp
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 03 15:50:01 GMT 2006
>Closed-Date:    Fri Feb 01 11:21:00 UTC 2008
>Last-Modified:  Fri Feb  1 11:30:01 UTC 2008
>Originator:     Dr. Ingo Rohlfs
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
Universitt Tbingen
>Environment:
System: FreeBSD mh228.ub.uni-tuebingen.de 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Sat Nov 5 21:09:19 CET 2005 root@s059.ub.uni-tuebingen.de:/usr/obj/usr/src/sys/GENERIC i386

>Description:
	I have a Kernel with pf + pflog + pfsync + carp.
        Build a double carp-environment:
	    carp0: flags=41<UP,RUNNING> mtu 1500
		    inet 134.2.33.33 netmask 0xffffffe0 
		    carp: MASTER vhid 1 advbase 1 advskew 0
	    carp1: flags=41<UP,RUNNING> mtu 1500
		    inet 134.2.67.254 netmask 0xfffffc00 
		    carp: MASTER vhid 2 advbase 1 advskew 0

	If I change the vhid to 1 for carp1, the kernel crashes 
	... hit key or restart in 15 sec.

>How-To-Repeat:
	ifconfig carp1 vhid 1
>Fix:
	Dont do?
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Feb 21 22:43:27 UTC 2006 
Responsible-Changed-Why:  
This does not sound i386-specific. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=92776 
Responsible-Changed-From-To: freebsd-bugs->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Sun Feb 26 11:15:07 UTC 2006 
Responsible-Changed-Why:  
I will look at this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=92776 

From: Stefan Lambrev <stefan.lambrev@sun-fish.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/92776: [carp] kernel-crash using carp
Date: Mon, 05 Feb 2007 18:14:25 +0200

 ifconfig carp1 destroy - will cause kernel panic too - tested on freebsd 
 6.2 release SMP kernel - amd64
 
 -- 
 Best Wishes,
 Stefan Lambrev
 ICQ# 24134177
 

From: =?ISO-8859-1?Q?H=E5kon_Granlund?= <hg@sircon.no>
To: bug-followup@FreeBSD.org, ingo.rohlfs@uni-tuebingen.de
Cc:  
Subject: Re: kern/92776: [carp] kernel-crash using carp
Date: Sun, 11 Mar 2007 16:02:36 +0100

 Reproducible on 6.2p2/amd64, both with and without SMP.
 
 Basically any fiddling with ifconfig carpX destroy/vhid, or the use of
 /etc/rc.d/netif restart if rc.conf is set up, can cause a crash.
 
 --
 Hkon Granlund
 

From: =?ISO-8859-1?Q?Ren=E9_de_Vries?= <Rene.de.Vries@tunix.nl>
To: bug-followup@FreeBSD.org
Cc: mlaier@freebsd.org,
 ingo.rohlfs@uni-tuebingen.de,
 Ed Schouten <Ed.Schouten@tunix.nl>
Subject: Re: kern/92776: [carp] kernel-crash using carp
Date: Mon, 12 Mar 2007 11:09:59 +0100

 --Apple-Mail-8--34012124
 Content-Transfer-Encoding: 7bit
 Content-Type: text/plain;
 	charset=US-ASCII;
 	delsp=yes;
 	format=flowed
 
 Hello,
 
 A trainee at TUNIX (Ed Schouten) is working on a research assignment  
 using amongst other CARP. He also discovered this problem and has  
 written a patch for this.
 
 Following is his description of the patch:
 
 FreeBSD has an implementation of the Common Address Redundancy  
 Protocol, which allows two systems to use the same network
 addresses. Each CARP interface has an unique number called VHID  
 (Virtual Host ID). This number can be set using the SIOCSVH
 ioctl. This ioctl has some checks, including a check that the VHID is  
 unique on the system, making it impossible to create two CARP devices  
 with the same VHID.
 
 When another interface with the same VHID is found on the system,  
 EEXIST is returned, without unlocking the device first, causing a  
 NULL pointer dereference in subr_turnstile.c later on (or a failed  
 assertion when INVARIANTS is turned on).
 
 This patch removes the return statement, replacing it with a break,  
 which eventually causes the device to be unlocked before carp_ioctl()  
 returns.
 
 
 --Apple-Mail-8--34012124
 Content-Transfer-Encoding: 7bit
 Content-Type: application/octet-stream;
 	x-unix-mode=0644;
 	name=patch
 Content-Disposition: attachment;
 	filename=patch
 
 --- src/sys/netinet/ip_carp.c	Sat Jan 20 00:01:33 2007
 +++ src/sys/netinet/ip_carp.c	Sun Feb 18 23:13:01 2007
 @@ -1882,8 +1882,10 @@
  				cif = (struct carp_if *)sc->sc_carpdev->if_carp;
  				TAILQ_FOREACH(vr, &cif->vhif_vrs, sc_list)
  					if (vr != sc &&
 -					    vr->sc_vhid == carpr.carpr_vhid)
 -						return EEXIST;
 +					    vr->sc_vhid == carpr.carpr_vhid) {
 +						error = EEXIST;
 +						goto out;
 +					}
  			}
  			sc->sc_vhid = carpr.carpr_vhid;
  			IFP2ENADDR(sc->sc_ifp)[0] = 0;
 @@ -1933,6 +1935,7 @@
  		error = EINVAL;
  	}
 
 +out:
  	if (locked)
  		CARP_SCUNLOCK(sc);
 
 --Apple-Mail-8--34012124
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain;
 	charset=ISO-8859-1;
 	format=flowed
 
 --=20
 Ren=E9 de Vries                      TUNIX Internet Security & =
 Opleidingen
 E-mail: Rene.de.Vries@tunix.nl     Research & Development
 
 
 
 --Apple-Mail-8--34012124--
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Wed Jun 6 13:58:17 UTC 2007 
State-Changed-Why:  
Fix committed to HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=92776 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/92776: commit references a PR
Date: Wed,  6 Jun 2007 14:21:58 +0000 (UTC)

 glebius     2007-06-06 14:21:50 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/netinet          ip_carp.c 
   Log:
   Do not leak lock in the case of EEXIST error.
   
   PR:             kern/92776
   Submitted by:   Ed Schouten <Ed.Schouten tunix.nl>
   
   Revision  Changes    Path
   1.49      +6 -2      src/sys/netinet/ip_carp.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Fri Feb 1 11:20:47 UTC 2008 
State-Changed-Why:  
Patch merged. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=92776 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/92776: commit references a PR
Date: Fri,  1 Feb 2008 11:20:48 +0000 (UTC)

 glebius     2008-02-01 11:20:42 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     sys/netinet          ip_carp.c 
   Log:
   Belated MFC of rev. 1.49:
     Do not leak lock in the case of EEXIST error.
   
   PR:             kern/92776
   
   Revision   Changes    Path
   1.27.2.12  +6 -2      src/sys/netinet/ip_carp.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
