[Bug 272319] FreeBSD kernel crash on MPD5 restart with PPP configuration.

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 272319] FreeBSD kernel crash on MPD5 restart with PPP configuration."
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 01 Jul 2023 17:21:11 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272319

            Bug ID: 272319
           Summary: FreeBSD kernel crash on MPD5 restart with PPP
                    configuration.
           Product: Base System
           Version: 13.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: ny2007ltd@gmail.com

FreeBSD 12.0-13.2 (both amd64 and i386) have kernel crash on MPD5 daemon
restart or OS reboot with PPP configuration.

How to reproduce:.
1. Install FreeBSD 13.2 (sample amd64) with default kernel
2. install mpd5 from ports
3. configure mpd5 with PPP over TCP/IP.
4. start MPD5 daemon
5. restart MPD5 or reboot OS
6. kernel crashed.

Sample of mpd5 configuration (/usr/local/etc/mpd5/mpd.conf):
========
startup:
#       set log +all

default:
        load ppp_server

ppp_server:
        set ippool add pool2 10.0.0.0 10.0.255.255

        create bundle template B2
        set ipcp ranges 10.0.1.1/16 ippool pool2
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set iface idle 0

        create link template L2 tcp
        set link enable multilink
        set link enable shortseq
        set link yes acfcomp protocomp
        set link action bundle B2

        set link disable chap pap eap
        set link enable chap chap-msv1 chap-msv2 chap-md5

        set tcp self 127.0.0.1 57
        set link enable incoming
======

Trace:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x18
fault code              = supervisor write data, page not present
instruction pointer     = 0x20:0xffffffff80be3cc2
stack pointer           = 0x28:0xfffffe00939e6c70
frame pointer           = 0x28:0xfffffe00939e6c80
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = resume, IOPL = 0
current process         = 475 (ng_queue0)
trap number             = 12
panic: page fault
cpuid = 0
time = 1688225854
KDB: stack backtrace:
#0 0xffffffff80c53dc5 at kdb_backtrace+0x65
#1 0xffffffff80c06741 at vpanic+0x151
#2 0xffffffff80c065e3 at panic+0x43
#3 0xffffffff810b1fa7 at trap_fatal+0x387
#4 0xffffffff810b1fff at trap_pfault+0x4f
#5 0xffffffff81088e78 at calltrap+0x8
#6 0xffffffff80c6bef8 at propagate_priority+0x58
#7 0xffffffff80c6cce3 at turnstile_wait+0x323
#8 0xffffffff80be33a0 at __mtx_lock_sleep+0x180
#9 0xffffffff82b366fb at ng_ksocket_shutdown+0x1ab
#10 0xffffffff82b23923 at ng_rmnode+0x1c3
#11 0xffffffff82b258b5 at ng_apply_item+0x85
#12 0xffffffff82b287b8 at ngthread+0x1e8
#13 0xffffffff80bc2fce at fork_exit+0x7e
#14 0xffffffff81089eee at fork_trampoline+0xe
Uptime: 1m52s
Dumping 161 out of 2006 MB:..10%..20%..30%..40%..50%..60%..70%..80%..90%..100%

__curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
55              __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (offsetof(struct
pcpu,
(kgdb) #0  __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
#1  doadump (textdump=<optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:396
#2  0xffffffff80c0630a in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:484
#3  0xffffffff80c067ae in vpanic (fmt=<optimized out>, 
    ap=ap@entry=0xfffffe00939e6ac0) at /usr/src/sys/kern/kern_shutdown.c:923
#4  0xffffffff80c065e3 in panic (fmt=<unavailable>)
    at /usr/src/sys/kern/kern_shutdown.c:847
#5  0xffffffff810b1fa7 in trap_fatal (frame=0xfffffe00939e6bb0, eva=24)
    at /usr/src/sys/amd64/amd64/trap.c:942
#6  0xffffffff810b1fff in trap_pfault (frame=0xfffffe00939e6bb0, 
    usermode=false, signo=<optimized out>, ucode=<optimized out>)
    at /usr/src/sys/amd64/amd64/trap.c:761
#7  <signal handler called>
#8  0xffffffff80be3cc2 in atomic_cmpset_long (expect=0, 
    src=18446741876100055968, dst=<optimized out>)
    at /usr/src/sys/amd64/include/atomic.h:217
#9  _thread_lock (td=0xfffff800210a4158) at /usr/src/sys/kern/kern_mutex.c:845
#10 0xffffffff80c6bef8 in propagate_priority (td=0xfffff800210a4158, 
    td@entry=0xfffffe00544443a0) at /usr/src/sys/kern/subr_turnstile.c:234
#11 0xffffffff80c6cce3 in turnstile_wait (ts=ts@entry=0xfffff800104ff240, 
    owner=owner@entry=0xfffff800210a4158, queue=queue@entry=0)
    at /usr/src/sys/kern/subr_turnstile.c:808
#12 0xffffffff80be33a0 in __mtx_lock_sleep (c=0xfffff800210a4160, 
    v=<optimized out>) at /usr/src/sys/kern/kern_mutex.c:668
#13 0xffffffff82b366fb in ng_ksocket_shutdown (node=0xfffff80021ae7800)
    at /usr/src/sys/netgraph/ng_ksocket.c:939
#14 0xffffffff82b23923 in ng_rmnode (node=0xfffff80021ae7800, 
    dummy1=<optimized out>, dummy2=<optimized out>, dummy3=<optimized out>)
    at /usr/src/sys/netgraph/ng_base.c:758
#15 0xffffffff82b258b5 in ng_apply_item (node=node@entry=0xfffff80021ae7800, 
    item=item@entry=0xfffff80021659d80, rw=rw@entry=1)
    at /usr/src/sys/netgraph/ng_base.c:2477
#16 0xffffffff82b287b8 in ngthread (arg=arg@entry=0x0)
    at /usr/src/sys/netgraph/ng_base.c:3444
#17 0xffffffff80bc2fce in fork_exit (callout=0xffffffff82b285d0 <ngthread>, 
    arg=0x0, frame=0xfffffe00939e6f40) at /usr/src/sys/kern/kern_fork.c:1093
#18 <signal handler called>
#19 0x000004c708f40bfa in ?? ()
Backtrace stopped: Cannot access memory at address 0x4c700446b68
(kgdb) 
=========

Reproduced in stable way. Visibility only with PPP over TCP/IP, 
PPTP or L2TP not have such question. FreeBSD 11 kernel work good 
and not have such problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.