General Protection Fault in prelist_remove()
Mark Johnston
markj at freebsd.org
Mon Sep 16 17:09:14 UTC 2013
On Mon, Sep 16, 2013 at 05:27:30PM +0200, Hans Petter Selasky wrote:
> Hi,
>
> I caught a General protection fault in prelist_remove. Any clues what
> this might be?
Any chance you were creating or destroying interfaces around the time
this crash happened?
There is no locking in the code which manipulates the prefix list (or
any of the global NDP data structures), so it's possible to get crashes
if, for instance, the prefix expiry callout races with in6_ifdetach() to
delete a prefix. It's not clear what caused your crash (not without a
crash dump at least), but I imagine it has something to do with this.
I've partially fixed this at work by adding a rw lock to protect access
to the the prefix, default router, and DAD lists. The patch is here:
http://people.freebsd.org/~markj/patches/ndp-locking.diff
If anyone can review or test this patch, please let me know.
Thanks,
-Mar
>
> FreeBSD-10 from one month back approx.
>
> > ffffffff80a95810 <prelist_remove>:
> > ffffffff80a95810: 55 push %rbp
> > ffffffff80a95811: 48 89 e5 mov %rsp,%rbp
> > ffffffff80a95814: 41 57 push %r15
> > ffffffff80a95816: 41 56 push %r14
> > ffffffff80a95818: 53 push %rbx
> > ffffffff80a95819: 48 83 ec 38 sub $0x38,%rsp
> > ffffffff80a9581d: 49 89 ff mov %rdi,%r15
> > ffffffff80a95820: 48 8b 04 25 c0 de 3b mov 0xffffffff813bdec0,%rax
> > ffffffff80a95827: 81
> > ffffffff80a95828: 48 89 45 e0 mov %rax,-0x20(%rbp)
> > ffffffff80a9582c: 49 c7 47 44 00 00 00 movq $0x0,0x44(%r15)
> > ffffffff80a95833: 00
> > ffffffff80a95834: 41 f6 47 6c 01 testb $0x1,0x6c(%r15)
> > ffffffff80a95839: 74 4d je ffffffff80a95888 <prelist_remove+0x78>
> > ffffffff80a9583b: 4c 89 ff mov %r15,%rdi
> > ffffffff80a9583e: e8 fd 00 00 00 callq ffffffff80a95940 <nd6_prefix_offlink>
> > ffffffff80a95843: 41 89 c6 mov %eax,%r14d
> > ffffffff80a95846: 45 85 f6 test %r14d,%r14d
> > ffffffff80a95849: 74 3d je ffffffff80a95888 <prelist_remove+0x78>
> > ffffffff80a9584b: 8b 04 25 c4 a6 56 81 mov 0xffffffff8156a6c4,%eax
> > ffffffff80a95852: 85 c0 test %eax,%eax
> > ffffffff80a95854: 74 32 je ffffffff80a95888 <prelist_remove+0x78>
> > ffffffff80a95856: 49 8d 77 20 lea 0x20(%r15),%rsi
> > ffffffff80a9585a: 48 8d 7d b0 lea -0x50(%rbp),%rdi
> > ffffffff80a9585e: e8 1d fa fd ff callq ffffffff80a75280 <ip6_sprintf>
> > ffffffff80a95863: 41 0f b6 4f 78 movzbl 0x78(%r15),%ecx
> > ffffffff80a95868: 4d 8b 07 mov (%r15),%r8
> > ffffffff80a9586b: 49 83 c0 28 add $0x28,%r8
> > ffffffff80a9586f: bf 03 00 00 00 mov $0x3,%edi
> > ffffffff80a95874: 48 c7 c6 c6 17 fa 80 mov $0xffffffff80fa17c6,%rsi
> > ffffffff80a9587b: 48 89 c2 mov %rax,%rdx
> > ffffffff80a9587e: 45 89 f1 mov %r14d,%r9d
> > ffffffff80a95881: 30 c0 xor %al,%al
> > ffffffff80a95883: e8 08 f0 e5 ff callq ffffffff808f4890 <log>
> > ffffffff80a95888: 41 83 7f 7c 00 cmpl $0x0,0x7c(%r15)
> > ffffffff80a9588d: 7f 6c jg ffffffff80a958fb <prelist_remove+0xeb>
> > ffffffff80a9588f: 49 8b 47 08 mov 0x8(%r15),%rax
> > ffffffff80a95893: 48 85 c0 test %rax,%rax
> > ffffffff80a95896: 74 0a je ffffffff80a958a2 <prelist_remove+0x92>
> > ffffffff80a95898: 49 8d 4f 08 lea 0x8(%r15),%rcx
> > ffffffff80a9589c: 48 39 48 10 cmp %rcx,0x10(%rax)
> ^^^^ crash here
> > ffffffff80a958a0: 75 72 jne ffffffff80a95914 <prelist_remove+0x104>
> > ffffffff80a958a2: 49 8b 4f 10 mov 0x10(%r15),%rcx
>
> Non-reproducable.
>
> --HPS
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
More information about the freebsd-current
mailing list