Date: Sun, 27 Aug 2017 09:37:33 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 221849] Kernel panic, kqueue related NULL pointer dereference sys/kern/kern_event.c Message-ID: <bug-221849-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221849 Bug ID: 221849 Summary: Kernel panic, kqueue related NULL pointer dereference sys/kern/kern_event.c Product: Base System Version: 11.1-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: aragon@phat.za.net I've stumbled upon a consistently reproducible panic with a GENERIC kernel = on 11.1-RELEASE. For me it happens every time I try connect my Android device= to the L2TP/IPSec (racoon+mpd) server running on the system in question. I do= n't know what's special about the Android VPN client, so I guess this panic mig= ht occur under other conditions too (other VPN clients don't trigger this). kern_kqueue() in sys/kern/kern_event.c:827 gets passed a struct thread poin= ter, and member td_ucred->cr_ruidinfo (null pointer) gets passed to chgkqcnt() in sys/kern/kern_resource.c:1430, which eventually gets dereferenced by atomic_fetchadd_long in sys/amd64/include/atomic.h. Fatal trap 12: page fault while in kernel mode cpuid =3D 1; apic id =3D 01 fault virtual address =3D 0x50 fault code =3D supervisor write data, page not present instruction pointer =3D 0x20:0xffffffff80a65f95 stack pointer =3D 0x28:0xfffffe004f1258c0 frame pointer =3D 0x28:0xfffffe004f1258d0 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 816 (sshd) trap number =3D 12 panic: page fault cpuid =3D 1 KDB: stack backtrace: #0 0xffffffff80aada97 at kdb_backtrace+0x67 #1 0xffffffff80a6bb76 at vpanic+0x186 #2 0xffffffff80a6b9e3 at panic+0x43 #3 0xffffffff80edf832 at trap_fatal+0x322 #4 0xffffffff80edf889 at trap_pfault+0x49 #5 0xffffffff80edf0c6 at trap+0x286 #6 0xffffffff80ec3641 at calltrap+0x8 #7 0xffffffff80a21fbc at kern_kqueue+0x4c #8 0xffffffff80ee0394 at amd64_syscall+0x6c4 #9 0xffffffff80ec392b at Xfast_syscall+0xfb Uptime: 6m56s Dumping 122 out of 991 MB:..14%..27%..40%..53%..66%..79%..92% Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from /usr/lib/debug//boot/kernel/ng_socket.ko.debug...done. done. Loaded symbols for /boot/kernel/ng_socket.ko Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from /usr/lib/debug//boot/kernel/netgraph.ko.debug...done. done. Loaded symbols for /boot/kernel/netgraph.ko Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from /usr/lib/debug//boot/kernel/ng_mppc.ko.debug...done. done. Loaded symbols for /boot/kernel/ng_mppc.ko Reading symbols from /boot/kernel/rc4.ko...Reading symbols from /usr/lib/debug//boot/kernel/rc4.ko.debug...done. done. Loaded symbols for /boot/kernel/rc4.ko #0 doadump (textdump=3D<value optimized out>) at pcpu.h:222 222 __asm("movq %%gs:%1,%0" : "=3Dr" (td) (kgdb) list *0xffffffff80a65f95 0xffffffff80a65f95 is in chgkqcnt (atomic.h:263). 258 */ 259 static __inline u_long 260 atomic_fetchadd_long(volatile u_long *p, u_long v) 261 { 262 263 __asm __volatile( 264 " " MPLOCKED " " 265 " xaddq %0,%1 ; " 266 "# atomic_fetchadd_long" 267 : "+r" (v), /* 0 */ Current language: auto; currently minimal (kgdb) backtrace #0 doadump (textdump=3D<value optimized out>) at pcpu.h:222 #1 0xffffffff80a6b6f1 in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:366 #2 0xffffffff80a6bbb0 in vpanic (fmt=3D<value optimized out>, ap=3D<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:759 #3 0xffffffff80a6b9e3 in panic (fmt=3D<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:690 #4 0xffffffff80edf832 in trap_fatal (frame=3D0xfffffe004f125800, eva=3D80)= at /usr/src/sys/amd64/amd64/trap.c:801 #5 0xffffffff80edf889 in trap_pfault (frame=3D0xfffffe004f125800, usermode= =3D0) at pcpu.h:222 #6 0xffffffff80edf0c6 in trap (frame=3D0xfffffe004f125800) at /usr/src/sys/amd64/amd64/trap.c:421 #7 0xffffffff80ec3641 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:236 #8 0xffffffff80a65f95 in chgkqcnt (uip=3D0x0, diff=3D1, max=3D922337203685= 4775807) at atomic.h:263 #9 0xffffffff80a21fbc in kern_kqueue (td=3D0xfffff80003e6a000, flags=3D0, fcaps=3D0x0) at /usr/src/sys/kern/kern_event.c:837 #10 0xffffffff80ee0394 in amd64_syscall (td=3D0xfffff80003e6a000, traced=3D= 0) at subr_syscall.c:135 #11 0xffffffff80ec392b in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:396 #12 0x00000008021aae9a in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) frame 9 #9 0xffffffff80a21fbc in kern_kqueue (td=3D0xfffff80003e6a000, flags=3D0, fcaps=3D0x0) at /usr/src/sys/kern/kern_event.c:837 837 if (!chgkqcnt(cred->cr_ruidinfo, 1, lim_cur(td, RLIMIT_KQUEUES))) (kgdb) list 832 struct ucred *cred; 833 int fd, error; 834 835 fdp =3D td->td_proc->p_fd; 836 cred =3D td->td_ucred; 837 if (!chgkqcnt(cred->cr_ruidinfo, 1, lim_cur(td, RLIMIT_KQUEUES))) 838 return (ENOMEM); 839 840 error =3D falloc_caps(td, &fp, &fd, flags, fcaps); 841 if (error !=3D 0) { (kgdb) print *cred $1 =3D {cr_ref =3D 2168608751, cr_uid =3D 4294967295, cr_ruid =3D 21168128,= cr_svuid =3D 0, cr_ngroups =3D 0, cr_rgid =3D 0, cr_svgid =3D 4,=20 cr_uidinfo =3D 0x0, cr_ruidinfo =3D 0x0, cr_prison =3D 0xfffff8002676b4b0, cr_loginclass =3D 0xfffff80003945280, cr_flags =3D 60052120,=20 cr_pspare2 =3D 0xfffff80003640448, cr_label =3D 0x0, cr_audit =3D {ai_aui= d =3D 0, ai_mask =3D {am_success =3D 0, am_failure =3D 2158116784},=20 ai_termid =3D {at_port =3D 4294967295, at_type =3D 2158116848, at_addr = =3D 0xfffff80003640474}, ai_asid =3D -1,=20 ai_flags =3D 18446735277673415680}, cr_groups =3D 0x0, cr_agroups =3D 0, cr_smallgroups =3D 0xfffff8000364049c} --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-221849-8>