search

CTSRD-CHERI / cheribsd

FreeBSD adapted for CHERI-RISC-V and Arm Morello.
http://cheribsd.org
Other
162 stars 59 forks source link

Tag violation in in6_control_ioctl() #2129

Closed kwitaszczyk closed 2 months ago

kwitaszczyk commented 2 months ago

When executing service netif restart on dev (bdeff30fb6b1) running GENERIC-MORELLO-PURECAP, I get a panic with the following backtrace:

(kgdb) bt
#0  get_curthread () at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/arm64/include/pcpu.h:92
#1  doadump (textdump=1) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/kern_shutdown.c:411
#2  0xffff0000005834b4 in kern_reboot (howto=1) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/kern_shutdown.c:529
#3  0xffff000000583ae8 in vpanic (fmt=0xffff000000b039b3 [rR,0xffff000000b039b3-0xffff000000b039da] (invalid) "Capability abort from kernel space: %s", ap=<optimized out>) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/kern_shutdown.c:989
#4  0xffff0000005837d0 in panic (fmt=0xffff000000b039b3 [rR,0xffff000000b039b3-0xffff000000b039da] (invalid) "Capability abort from kernel space: %s") at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/kern_shutdown.c:913
#5  0xffff00000094d050 in cap_abort (td=0xffff00019899d600 [rwRW,0xffff00019899d600-0xffff00019899df70] (invalid), frame=<optimized out>, esr=18446462598750959792, far=18446638520598276944, lower=<optimized out>) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/arm64/arm64/trap.c:335
#6  <signal handler called>
#7  0xffff000000798e48 in in6_control_ioctl (cmd=<optimized out>, data=0xffff0001947edf58 [rwRW,0xffff0001947edf58-0xffff0001947edfe0] (invalid), ifp=0xffffa0000d005000 [rwRW,0xffffa0000d005000-0xffffa0000d006000] (invalid), cred=0xffffa0000d532300 [rwRW,0xffffa0000d532300-0xffffa0000d532480] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/netinet6/in6.c:408
#8  0xffff0000007fb0c4 in rtnl_handle_addr (hdr=<optimized out>, nlp=0xffffa0000da31c00 [rwRW,0xffffa0000da31c00-0xffffa0000da31d80] (invalid), npt=<optimized out>) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/netlink/route/iface.c:1274
#9  0xffff0000007f85fc in rtnl_handle_message (hdr=0xffffa0871cdfa82c [rwRW,0xffffa0871cdfa82c-0xffffa0871cdfb000] (invalid), npt=0xffff0001947ee3d0 [rwRW,0xffff0001947ee3d0-0xffff0001947ee460] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/netlink/netlink_route.c:103
#10 0xffff0000007f60f0 in nl_receive_message (hdr=0xffffa0871cdfa82c [rwRW,0xffffa0871cdfa82c-0xffffa0871cdfb000] (invalid), remaining_length=<optimized out>, nlp=0xffffa0000da31c00 [rwRW,0xffffa0000da31c00-0xffffa0000da31d80] (invalid), npt=<optimized out>) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/netlink/netlink_io.c:294
#11 nl_process_nbuf (nb=0xffffa0871cdfa800 [rwRW,0xffffa0871cdfa800-0xffffa0871cdfb000] (invalid), nlp=0xffffa0000da31c00 [rwRW,0xffffa0000da31c00-0xffffa0000da31d80] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/netlink/netlink_io.c:352
#12 nl_process_received_one (nlp=0xffffa0000da31c00 [rwRW,0xffffa0000da31c00-0xffffa0000da31d80] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/netlink/netlink_io.c:118
#13 nl_process_received (nlp=0xffffa0000da31c00 [rwRW,0xffffa0000da31c00-0xffffa0000da31d80] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/netlink/netlink_io.c:149
#14 nl_taskqueue_handler (_arg=0xffffa0000da31c00 [rwRW,0xffffa0000da31c00-0xffffa0000da31d80] (invalid), pending=<optimized out>) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/netlink/netlink_io.c:186
#15 0xffff0000005f99e0 in taskqueue_run_locked (queue=0xffffa00000fe6a00 [rwRW,0xffffa00000fe6a00-0xffffa00000fe6c00] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/subr_taskqueue.c:517
#16 0xffff0000005faa74 in taskqueue_thread_loop (arg=<optimized out>) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/subr_taskqueue.c:829
#17 0xffff00000052e8e4 in fork_exit (callout=0xffff0000005fa981 <taskqueue_thread_loop> [rxRE,0x0-0xffffffffffffffff] (invalid,sentry), arg=0xffffa0000da31c40 [rwRW,0xffffa0000da31c40-0xffffa0000da31c50] (invalid), frame=0xffff0001947ee810 [rwRW,0xffff0001947e9000-0xffff0001947ef000] (invalid)) at /local/scratch/jenkins/workspace/CheriBSD-pipeline_dev@2/cheribsd/sys/kern/kern_fork.c:1169
#18 <signal handler called>
(kgdb)

Kernel crash dumps don't include information on tags at the moment so the invalid keyword should be ignored when analysing this backtrace.

The panic is triggered every time I run the command. I have the following network configuration in rc.conf (note that it uses IPv6):

ifconfig_re0="DHCP"
ifconfig_re0_ipv6="inet6 accept_rtadv"
kwitaszczyk commented 2 months ago

It's fixed in dev now.