Date: Mon, 21 Jan 2019 03:56:58 +0000 From: bugzilla-noreply@freebsd.org To: testing@freebsd.org Subject: [Bug 235097] ci runs failing with panic in IPv6 code with use-after-free in epair/pfctl when running sys/netpfil/pf/nat tests Message-ID: <bug-235097-32464@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D235097 Bug ID: 235097 Summary: ci runs failing with panic in IPv6 code with use-after-free in epair/pfctl when running sys/netpfil/pf/nat tests Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: tests Assignee: testing@freebsd.org Reporter: ngie@FreeBSD.org >From https://ci.freebsd.org/job/FreeBSD-head-amd64-test/9853/console : 03:41:28 sys/netpfil/pf/fragmentation:too_many_fragments -> passed [11.3= 24s] 03:41:40 sys/netpfil/pf/fragmentation:v6 -> passed [0.215s] 03:41:40 sys/netpfil/pf/names:names -> passed [0.165s] 03:41:40 sys/netpfil/pf/nat:exhaust -> lock order reversal: 03:41:43 1st 0xfffff8013181a490 filedesc structure (filedesc structure) @ /usr/src/sys/kern/sys_generic.c:1515 03:41:43 2nd 0xfffff80131b3e608 ufs (ufs) @ /usr/src/sys/kern/vfs_vnops.c:= 1513 03:41:43 stack backtrace: 03:41:43 #0 0xffffffff80c44c13 at witness_debugger+0x73 03:41:43 #1 0xffffffff80c44963 at witness_checkorder+0xac3 03:41:43 #2 0xffffffff80bb186d at lockmgr_xlock_hard+0x6d 03:41:43 #3 0xffffffff80bb2303 at __lockmgr_args+0x5f3 03:41:43 #4 0xffffffff80eeeaf5 at ffs_lock+0xa5 03:41:43 #5 0xffffffff81234703 at VOP_LOCK1_APV+0x63 03:41:43 #6 0xffffffff80cbfe25 at _vn_lock+0x65 03:41:43 #7 0xffffffff80cbec3a at vn_poll+0x3a 03:41:43 #8 0xffffffff80c4b06a at kern_poll+0x3ca 03:41:43 #9 0xffffffff80c4ac90 at sys_poll+0x50 03:41:43 #10 0xffffffff810abe96 at amd64_syscall+0x276 03:41:43 #11 0xffffffff81085f7d at fast_syscall_common+0x101 03:41:44 passed [3.421s] 03:41:44 sys/netpfil/pf/pass_block:noalias -> Jan 21 03:41:45 kernel: nd6_dad_timer: called with non-tentative address fe80:3::5a:1bff:fe50:80b(epair3b) 03:41:46 Jan 21 03:41:46 kernel: nd6_dad_timer: called with non-tentative address fe80:5::5a:1bff:fe50:80a(epair3a) 03:41:48 panic: Memory modified after free 0xfffffe003ee0c080(8) val=3Ddead= c0df @ 0xfffffe003ee0c080 03:41:48=20 03:41:48 cpuid =3D 1 03:41:48 time =3D 1548042108 03:41:48 KDB: stack backtrace: 03:41:48 db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe003f2f4030 03:41:48 vpanic() at vpanic+0x1b4/frame 0xfffffe003f2f4090 03:41:48 panic() at panic+0x43/frame 0xfffffe003f2f40f0 03:41:48 trash_ctor() at trash_ctor+0x4c/frame 0xfffffe003f2f4100 03:41:48 uma_zalloc_arg() at uma_zalloc_arg+0x9ff/frame 0xfffffe003f2f4190 03:41:48 uma_zalloc_pcpu_arg() at uma_zalloc_pcpu_arg+0x23/frame 0xfffffe003f2f41c0 03:41:48 pfioctl() at pfioctl+0x419e/frame 0xfffffe003f2f46b0 03:41:48 devfs_ioctl() at devfs_ioctl+0xca/frame 0xfffffe003f2f4700 03:41:48 VOP_IOCTL_APV() at VOP_IOCTL_APV+0x63/frame 0xfffffe003f2f4720 03:41:48 vn_ioctl() at vn_ioctl+0x124/frame 0xfffffe003f2f4830 03:41:48 devfs_ioctl_f() at devfs_ioctl_f+0x1f/frame 0xfffffe003f2f4850 03:41:48 kern_ioctl() at kern_ioctl+0x29b/frame 0xfffffe003f2f48c0 03:41:48 sys_ioctl() at sys_ioctl+0x15d/frame 0xfffffe003f2f4990 03:41:48 amd64_syscall() at amd64_syscall+0x276/frame 0xfffffe003f2f4ab0 03:41:48 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe003f2f4ab0 03:41:48 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip =3D 0x8004b02fa, r= sp =3D 0x7fffffffcc38, rbp =3D 0x7fffffffd860 --- 03:41:48 KDB: enter: panic 03:41:48 [ thread pid 81820 tid 100186 ] 03:41:48 Stopped at kdb_enter+0x3b: movq $0,kdb_why 03:41:48 db:0:kdb.enter.panic> show pcpu 03:41:48 cpuid =3D 1 03:41:48 dynamic pcpu =3D 0xfffffe00801938c0 03:41:48 curthread =3D 0xfffff801317f55a0: pid 81820 tid 100186 "pfctl" 03:41:48 curpcb =3D 0xfffffe003f2f4b80 03:41:48 fpcurthread =3D 0xfffff801317f55a0: pid 81820 "pfctl" 03:41:48 idlethread =3D 0xfffff8000327b5a0: tid 100004 "idle: cpu1" 03:41:48 curpmap =3D 0xfffff80028f45130 03:41:48 tssp =3D 0xffffffff821cb208 03:41:48 commontssp =3D 0xffffffff821cb208 03:41:48 rsp0 =3D 0xfffffe003f2f4b80 03:41:48 gs32p =3D 0xffffffff821d1e40 03:41:48 ldt =3D 0xffffffff821d1e80 03:41:48 tss =3D 0xffffffff821d1e70 03:41:48 tlb gen =3D 466083 03:41:48 curvnet =3D 0xfffff800032e7a80 03:41:48 spin locks held: 03:41:48 db:0:kdb.enter.panic> alltrace 03:41:48=20 03:41:48 Tracing command pfctl pid 81820 tid 100186 td 0xfffff801317f55a0 (= CPU 1) 03:41:48 kdb_enter() at kdb_enter+0x3b/frame 0xfffffe003f2f4030 03:41:48 vpanic() at vpanic+0x1d1/frame 0xfffffe003f2f4090 03:41:48 panic() at panic+0x43/frame 0xfffffe003f2f40f0 03:41:48 trash_ctor() at trash_ctor+0x4c/frame 0xfffffe003f2f4100 03:41:48 uma_zalloc_arg() at uma_zalloc_arg+0x9ff/frame 0xfffffe003f2f4190 03:41:48 uma_zalloc_pcpu_arg() at uma_zalloc_pcpu_arg+0x23/frame 0xfffffe003f2f41c0 03:41:48 pfioctl() at pfioctl+0x419e/frame 0xfffffe003f2f46b0 03:41:48 devfs_ioctl() at devfs_ioctl+0xca/frame 0xfffffe003f2f4700 03:41:48 VOP_IOCTL_APV() at VOP_IOCTL_APV+0x63/frame 0xfffffe003f2f4720 03:41:49 vn_ioctl() at vn_ioctl+0x124/frame 0xfffffe003f2f4830 03:41:49 devfs_ioctl_f() at devfs_ioctl_f+0x1f/frame 0xfffffe003f2f4850 03:41:49 kern_ioctl() at kern_ioctl+0x29b/frame 0xfffffe003f2f48c0 03:41:49 sys_ioctl() at sys_ioctl+0x15d/frame 0xfffffe003f2f4990 03:41:49 amd64_syscall() at amd64_syscall+0x276/frame 0xfffffe003f2f4ab0 03:41:49 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe003f2f4ab0 03:41:49 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip =3D 0x8004b02fa, r= sp =3D 0x7fffffffcc38, rbp =3D 0x7fffffffd860 --- --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235097-32464>