[Bug 238326] Kernel crash on jail stop (VIMAGE/VNET)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Feb 1 07:59:17 UTC 2021 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238326

--- Comment #22 from Zhenlei Huang <zlei.huang at gmail.com> ---
(In reply to Kyle Evans from comment #20)

Steps to reproduce the kernel panic:

Host environment:
FreeBSD 12.2 Guest fresh install with kernel debug symbols, VMware Fusion
12.1.0, hardware configured with 4 Processor cores and 1G memory, system
updated to 12.2-RELEASE-p3.

Host and jail's /etc/rc.conf:

------------- rc.conf ------------------
# The jails share this rc.conf, let's disable the syslog service
syslogd_enable="NO"
#syslogd_flags="-ss"

sendmail_enable="NONE"
hostname=""
ifconfig_em0="DHCP"
dumpdev="AUTO"
zfs_enable="YES"
----------------------------------------


Host's /etc/jail.conf:
------------ jail.conf -----------------
# template for all test jails
# it is convenient to share host's filesystem
path = "/";
exec.clean;
vnet = new;
vnet.interface = "epair${ifnum}b";

exec.prepare  = "/sbin/ifconfig epair${ifnum} create";
exec.prepare += "/sbin/ifconfig epair${ifnum}a inet 192.168.${ifnum}.1/24 up";

exec.start  = "/bin/sh /etc/rc";
# I've no ideas why opening and binding a socket would trigger the kernel panic
more likely :(
exec.start += "/usr/sbin/daemon /usr/bin/nc -l 0.0.0.0 9999";
exec.start += "/sbin/ifconfig epair${ifnum}b inet 192.168.${ifnum}.2/24";
exec.start += "/sbin/route add default 192.168.${ifnum}.1";

exec.stop  = "/bin/sh /etc/rc.shutdown";

exec.poststop += "/sbin/ifconfig epair${ifnum}a destroy";

test1 {
        $ifnum = 10;
}

# with more jails it seems crash the host more likely
test2 {
        $ifnum = 20;
}
----------------------------------------

Then repeat stopping and starting jail service, the host crashes about once in
2 or 3 times.

# service jail onestart && service jail onestop
...



The kernel panic message:

Fatal trap 12: page fault while in kernel mode
cpuid = 2; apic id = 04
fault virtual address   = 0x410
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80b9f237
stack pointer           = 0x28:0xfffffe0015b55370
frame pointer           = 0x28:0xfffffe0015b553f0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 93087 (ifconfig)
trap number             = 12
panic: page fault
cpuid = 2
time = 1612193992
KDB: stack backtrace:
#0 0xffffffff80c0aa85 at kdb_backtrace+0x65
#1 0xffffffff80bbed3b at vpanic+0x17b
#2 0xffffffff80bbebb3 at panic+0x43
#3 0xffffffff8108e911 at trap_fatal+0x391
#4 0xffffffff8108e96f at trap_pfault+0x4f
#5 0xffffffff8108dfb6 at trap+0x286
#6 0xffffffff81066938 at calltrap+0x8
#7 0xffffffff80bb9591 at _rm_rlock_hard+0x3c1
#8 0xffffffff80ce5ce6 at rtinit+0x2a6
#9 0xffffffff80d3873e at in_scrubprefix+0x29e
#10 0xffffffff80d5001d at rip_ctlinput+0x8d
#11 0xffffffff80c4922c at pfctlinput+0x5c
#12 0xffffffff80cbb4fa at if_down+0x12a
#13 0xffffffff80cb90d0 at if_detach_internal+0x150
#14 0xffffffff80cb8df0 at if_detach+0x50
#15 0xffffffff82b1ebb1 at epair_clone_destroy+0x81
#16 0xffffffff80cc0c4d at if_clone_destroyif+0xdd
#17 0xffffffff80cc0b12 at if_clone_destroy+0x1a2
Uptime: 1m22s
Dumping 160 out of 982 MB:..10%..20%..30%..40%..50%..60%..70%..80%..90%..100%


To be clear, after update to 12.2-RELEASE-p3, it's difficult to crash the host
without the below line in jail.conf:

exec.start += "/usr/sbin/daemon /usr/bin/nc -l 0.0.0.0 9999";

I'll attach full core text dump later.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-jail mailing list