[Bug 227720] Kernel panic in ppp server
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Nov 8 17:58:30 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227720
--- Comment #37 from Franck Rousseau <Franck.Rousseau at imag.fr> ---
Thanks for the fast reply! Not sure if I continue here or in bug #230498 but
since this is still related to PPP, I put it here.
I only had 15 min to test, but it crashed right away on the first try. Here is
the procedure:
- setup PC3: configure address on Ethernet interface;
- setup PC2: configure address on Ethernet interface, add ARP pub entry,
activate forwarding, start ppp server and wait for connection;
- setup PC3: start pinging PC3, obviously it fails, start ppp client and open
connection, add default route, everything works correctly.
Leave everything running as it is, then quit ppp on both sides, restart the
server waiting for the connection, connect from client -> crash on PC2.
Here is the trace, it crashes one call further line rtsock.c:1559 after the
patch
info.rti_info[RTAX_GENMASK] = 0;
if (rt->rt_ifp) {
- info.rti_info[RTAX_IFP] = rt->rt_ifp->if_addr->ifa_addr;
+ IF_ADDR_RLOCK(rt->rt_ifp);
+ if (rt->rt_ifp->if_addr != NULL)
+ info.rti_info[RTAX_IFP] =
rt->rt_ifp->if_addr->ifa_addr;
info.rti_info[RTAX_IFA] = rt->rt_ifa->ifa_addr;
I also add a somewhat tidied up version of the (struct ifnet *)
(kgdb) bt
#0 doadump (textdump=<value optimized out>) at pcpu.h:229
#1 0xffffffff80af673b in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:383
#2 0xffffffff80af6b61 in vpanic (fmt=<value optimized out>, ap=<value
optimized out>) at /usr/src/sys/kern/kern_shutdown.c:776
#3 0xffffffff80af69a3 in panic (fmt=<value optimized out>) at
/usr/src/sys/kern/kern_shutdown.c:707
#4 0xffffffff80f77fdf in trap_fatal (frame=0xfffffe0468486290, eva=1208) at
/usr/src/sys/amd64/amd64/trap.c:875
#5 0xffffffff80f78039 in trap_pfault (frame=0xfffffe0468486290, usermode=0) at
pcpu.h:229
#6 0xffffffff80f77807 in trap (frame=0xfffffe0468486290) at
/usr/src/sys/amd64/amd64/trap.c:415
#7 0xffffffff80f57fdc in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:231
#8 0xffffffff80af2893 in __rw_rlock_hard (rw=0xfffff800be4bc990,
td=0xfffff80105056620, v=<value optimized out>) at
/usr/src/sys/kern/kern_rwlock.c:493
#9 0xffffffff80c0ce9b in sysctl_dumpentry (rn=0xfffff80008e74270,
vw=0xfffffe0468486690) at /usr/src/sys/net/rtsock.c:1559
#10 0xffffffff80c07aa0 in rn_walktree (h=<value optimized out>, f=<value
optimized out>, w=<value optimized out>) at /usr/src/sys/net/radix.c:1094
#11 0xffffffff80c0c7ff in sysctl_rtsock (oidp=<value optimized out>,
arg1=<value optimized out>, arg2=<value optimized out>, req=<value optimized
out>) at /usr/src/sys/net/rtsock.c:1919
#12 0xffffffff80b03ccb in sysctl_root_handler_locked (oid=0xffffffff81a33f38,
arg1=0xfffffe0468486908, arg2=4, req=0xfffffe0468486840,
tracker=0xfffffe04684867b8) at /usr/src/sys/kern/kern_sysctl.c:165
#13 0xffffffff80b03521 in sysctl_root (arg1=0xfffffe0468486908, arg2=4) at
/usr/src/sys/kern/kern_sysctl.c:1915
#14 0xffffffff80b03a46 in userland_sysctl (td=<value optimized out>,
name=0xfffffe0468486900, namelen=6, old=0x0, oldlenp=<value optimized out>,
inkernel=<value optimized out>, new=0x0, newlen=0, retval=0xfffffe0468486968,
flags=0) at /usr/src/sys/kern/kern_sysctl.c:2011
#15 0xffffffff80b038cf in sys___sysctl (td=0xfffff80105056620,
uap=0xfffff80105056b58) at /usr/src/sys/kern/kern_sysctl.c:1945
#16 0xffffffff80f79068 in amd64_syscall (td=0xfffff80105056620, traced=0) at
subr_syscall.c:132
#17 0xffffffff80f5882d in fast_syscall_common () at
/usr/src/sys/amd64/amd64/exception.S:479
#18 0x0000000801de047a in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language: auto; currently minimal
(kgdb) f 8
#8 0xffffffff80af2893 in __rw_rlock_hard (rw=0xfffff800be4bc990,
td=0xfffff80105056620, v=<value optimized out>) at
/usr/src/sys/kern/kern_rwlock.c:493
493 owner = (struct thread *)RW_OWNER(v);
Current language: auto; currently minimal
(kgdb) f 9
#9 0xffffffff80c0ce9b in sysctl_dumpentry (rn=0xfffff80008e74270,
vw=0xfffffe0468486690) at /usr/src/sys/net/rtsock.c:1559
1559 IF_ADDR_RLOCK(rt->rt_ifp);
(kgdb) p rt->rt_ifp->if_addr_lock
$1 = {lock_object = {lo_name = 0xfffff800be4bc9f0 "P?K?", lo_flags =
3192637744, lo_data = 4294965248, lo_witness = 0xfffff80007085848}, rw_lock =
256}
(kgdb) p rt->rt_ifp->if_addr->ifa_addr
Cannot access memory at address 0x3700000018
(kgdb) p *rt->rt_ifp
$2 = {
if_link = { tqe_next = 0xfffff800be9c9210, tqe_prev = 0xfffff800be9c9000 },
if_clones = { le_next = 0xfffff800be4bc870, le_prev = 0xfffff800be4bcb70 },
if_groups = { tqh_first = 0xfffff800be9c9048, tqh_last = 0x100 },
if_alloctype = 0 '\0',
if_softc = 0xfffff800be9c9000,
if_llsoftc = 0x3e50000,
if_l2com = 0x400000004,
if_dname = 0x0,
if_dunit = 51,
if_index = 36,
if_index_reserved = 0,
if_xname = 0xfffff800be4bc860 "\020>y\b",
if_description = 0xfffff800be4bc8d0 "0?K?",
if_flags = -1102329840,
if_drv_flags = -2048,
if_capabilities = 142163016,
if_capenable = -2048,
if_linkmib = 0x100,
if_linkmiblen = 0,
if_refcount = 142162944,
if_type = 0 '\0',
if_addrlen = 248 '?',
if_hdrlen = 255 '?',
if_link_state = 255 '?',
if_mtu = 1078468608,
if_metric = 0,
if_baudrate = 2,
if_hwassist = 0,
if_epoch = 90194313239,
if_lastchange = { tv_sec = -8796001543664, tv_usec = -8796001544192 },
if_snd = { ifq_head = 0xfffff800be4bc930,
ifq_tail = 0xfffff800be4bc870,
ifq_len = 91478088, ifq_maxlen = -2048,
ifq_mtx = { lock_object = { lo_name = 0x100 <Address 0x100 out
of bounds>,
lo_flags = 0,
lo_data = 0,
lo_witness = 0xfffff8000573d800},
mtx_lock = 1079562240
},
ifq_drv_head = 0x2,
ifq_drv_tail = 0x0,
ifq_drv_len = 149,
ifq_drv_maxlen = 21,
altq_type = 141323792,
altq_flags = -2048,
altq_disc = 0xfffff800086c6c00,
altq_ifp = 0xfffff800be4bc990,
altq_enqueue = 0xfffff800be4bc8d0,
altq_dequeue = 0xfffff800086c6c48,
altq_request = 0x100, altq_clfier = 0x0,
altq_classify = 0xfffff800086c6c00,
altq_tbr = 0x84a000,
altq_cdnr = 0x4
},
if_linktask = { ta_link = { stqe_next = 0x0},
ta_pending = 6,
ta_priority = 0,
ta_func = 0xfffff80007085a10,
ta_context = 0xfffff80007085800
},
if_addr_lock = { lock_object = { lo_name = 0xfffff800be4bc9f0 "P?K?",
lo_flags = 3192637744,
lo_data = 4294965248,
lo_witness = 0xfffff80007085848
},
rw_lock = 256
},
if_addrhead = { tqh_first = 0x0, tqh_last = 0xfffff80007085800 },
if_multiaddrs = { tqh_first = 0xf7d000, tqh_last = 0x4 },
if_amcount = 0,
if_addr = 0x3700000018,
if_broadcastaddr = 0xfffff80007090a10 "\001",
if_afdata_lock = { lock_object = { lo_name = 0xfffff80007090800 "",
lo_flags = 3192638032,
lo_data = 4294965248,
lo_witness = 0xfffff800be4bc990
},
rw_lock = 18446735277734561864
},
if_afdata = 0xfffff800be4bca08,
if_afdata_initialized = 63,
if_fib = 55,
if_vnet = 0xfffff800be3dd610,
if_home_vnet = 0xfffff800be3dd400,
if_vlantrunk = 0xfffff800be4bc810,
if_bpf = 0xfffff800be4bccf0,
if_pcount = -1103244216,
if_bridge = 0x100,
if_lagg = 0x0,
if_pf_kif = 0xfffff800be3dd400,
if_carp = 0x220a000,
if_label = 0x400000004,
if_netmap = 0x0,
if_output = 0x2400000039,
if_input = 0xfffff80007075a10,
if_start = 0xfffff80007075800,
if_ioctl = 0xfffff800be4bcc30,
if_init = 0xfffff800be4bcb10,
if_resolvemulti = 0xfffff80007075848,
if_qflush = 0x100, if_transmit = 0,
if_reassign = 0xfffff80007075800,
if_get_counter = 0x40460000,
if_requestencap = 0x2,
if_counters = 0xfffff800be4bcc10,
if_hw_tsomax = 0,
if_hw_tsomaxsegcount = 0,
if_hw_tsomaxsegsize = 17,
if_pspare = 0xfffff800be4bcc80,
if_hw_addr = 0xfffff800be4bcc30,
if_pcp = 72 'H',
if_bspare = 0xfffff800be4bcca1 "?\b\a",
if_ispare = 0xfffff800be4bcca4
}
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-net
mailing list