From owner-freebsd-bugs@FreeBSD.ORG  Fri Jan 30 18:28:13 2015
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 2CDCBE05
 for <freebsd-bugs@FreeBSD.org>; Fri, 30 Jan 2015 18:28:13 +0000 (UTC)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0E0AF3D9
 for <freebsd-bugs@FreeBSD.org>; Fri, 30 Jan 2015 18:28:13 +0000 (UTC)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t0UISCJT054755
 for <freebsd-bugs@FreeBSD.org>; Fri, 30 Jan 2015 18:28:12 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 197203] [VIMAGE] null pointer dereference causing kernel panic
Date: Fri, 30 Jan 2015 18:28:13 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: lme@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-197203-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jan 2015 18:28:13 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197203

            Bug ID: 197203
           Summary: [VIMAGE] null pointer dereference causing kernel panic
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: lme@FreeBSD.org

I'm running 11.0-CURRENT #12 r277858M amd64 with "options VIMAGE" compiled into
the kernel.

network related stuff in rc.conf:

gateway_enable="YES"
cloned_interfaces="bridge0 bridge1 tap0 tap1"
autobridge_interfaces="bridge0"
autobridge_bridge0="tap*"
ifconfig_bridge0="inet 192.168.29.1/24"
ipv6_activate_all_interfaces="YES"
ip6addrctl_enable="YES"
ip6addrctl_policy="ipv4_prefer"
ipv6_privacy="YES"
rtsold_enable="YES"
wlans_iwn0="wlan0"
ifconfig_wlan0="WPA DHCP country DE"
ifconfig_em0="DHCP"
ifconfig_em0_ipv6="inet6 accept_rtadv"

The machine boots fine, and all interfaces come up. But when I run "service
netif restart" from a running system I get a kernel panic:

Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address   = 0x28
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80ac49c7
stack pointer           = 0x28:0xfffffe04431d67b0
frame pointer           = 0x28:0xfffffe04431d6850
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 0 (thread taskq)
Uptime: 3h55m14s
Dumping 857 out of 16050 MB:..2%..12%..21%..32%..42%..51%..62%..71%..81%..92%

#0  doadump (textdump=Unhandled dwarf expression opcode 0x93
) at pcpu.h:219
219     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) #0  doadump (textdump=Unhandled dwarf expression opcode 0x93
) at pcpu.h:219
#1  0xffffffff809c6c2f in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:448
#2  0xffffffff809c7170 in panic (fmt=<value optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:747
#3  0xffffffff803589b7 in db_panic (addr=<value optimized out>,
have_addr=Unhandled dwarf expression opcode 0x93)
    at /usr/src/sys/ddb/db_command.c:473
#4  0xffffffff803585cc in db_command (cmd_table=0x0)
    at /usr/src/sys/ddb/db_command.c:440
#5  0xffffffff80358334 in db_command_loop ()
    at /usr/src/sys/ddb/db_command.c:493
#6  0xffffffff8035aef0 in db_trap (type=<value optimized out>, code=Unhandled
dwarf expression opcode 0x93)
    at /usr/src/sys/ddb/db_main.c:251
#7  0xffffffff80a0a40e in kdb_trap (type=Unhandled dwarf expression opcode
0x93) at /usr/src/sys/kern/subr_kdb.c:654
#8  0xffffffff80e3d259 in trap_fatal (frame=0xfffffe04431d6700, 
    eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:856
#9  0xffffffff80e3d5d1 in trap_pfault (frame=0xfffffe04431d6700, 
    usermode=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:678
#10 0xffffffff80e3cc0e in trap (frame=0xfffffe04431d6700)
    at /usr/src/sys/amd64/amd64/trap.c:426
#11 0xffffffff80e1e602 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:235
#12 0xffffffff80ac49c7 in rt_newmaddrmsg (cmd=Unhandled dwarf expression opcode
0x93)
    at /usr/src/sys/net/rtsock.c:1366
#13 0xffffffff80aadf90 in if_addmulti (ifp=0xfffff800065cb000, 
    sa=<value optimized out>, retifma=<value optimized out>)
    at /usr/src/sys/net/if.c:3159
#14 0xffffffff80aed63e in ieee80211_ioctl (ifp=<value optimized out>, 
    cmd=<value optimized out>, data=<value optimized out>)
    at /usr/src/sys/net80211/ieee80211_ioctl.c:3325
#15 0xffffffff80b1f2df in in_leavegroup (inm=0xfffff80205445500, 
    imf=<value optimized out>) at /usr/src/sys/netinet/in_mcast.c:1291
#16 0xffffffff80b2351d in inp_gcmoptions (context=<value optimized out>, 
    pending=<value optimized out>) at /usr/src/sys/netinet/in_mcast.c:1603
#17 0xffffffff80a1b309 in taskqueue_run_locked (queue=0xfffff80006358b00)
    at /usr/src/sys/kern/subr_taskqueue.c:431
#18 0xffffffff80a1c1c8 in taskqueue_thread_loop (arg=<value optimized out>)
    at /usr/src/sys/kern/subr_taskqueue.c:695
#19 0xffffffff8098627a in fork_exit (
    callout=0xffffffff80a1c100 <taskqueue_thread_loop>, 
    arg=0xffffffff8189fde0, frame=0xfffffe04431d6ac0)
    at /usr/src/sys/kern/kern_fork.c:996
#20 0xffffffff80e1eb3e in fork_trampoline ()
    at /usr/src/sys/amd64/amd64/exception.S:610
#21 0x0000000000000000 in ?? ()
Current language:  auto; currently minimal
(kgdb) 

(kgdb) frame 12
#12 0xffffffff80ac49c7 in rt_newmaddrmsg (cmd=Unhandled dwarf expression opcode
0x93
) at /usr/src/sys/net/rtsock.c:1366
1366        if (V_route_cb.any_count == 0)
(kgdb) p $rip
$1 = (void (*)()) 0xffffffff80ac49c7 <rt_newmaddrmsg+39>
(kgdb) disas *($rip)
Dump of assembler code for function rt_newmaddrmsg:
0xffffffff80ac49a0 <rt_newmaddrmsg+0>:    push   %rbp
0xffffffff80ac49a1 <rt_newmaddrmsg+1>:    mov    %rsp,%rbp
0xffffffff80ac49a4 <rt_newmaddrmsg+4>:    push   %r15
0xffffffff80ac49a6 <rt_newmaddrmsg+6>:    push   %r14
0xffffffff80ac49a8 <rt_newmaddrmsg+8>:    push   %rbx
0xffffffff80ac49a9 <rt_newmaddrmsg+9>:    sub    $0x78,%rsp
0xffffffff80ac49ad <rt_newmaddrmsg+13>:    mov    %rsi,%rbx
0xffffffff80ac49b0 <rt_newmaddrmsg+16>:    mov    %edi,%r14d
0xffffffff80ac49b3 <rt_newmaddrmsg+19>:    mov    0x20(%rbx),%r15
0xffffffff80ac49b7 <rt_newmaddrmsg+23>:    mov    %gs:0x0,%rax
0xffffffff80ac49c0 <rt_newmaddrmsg+32>:    mov    0x440(%rax),%rax
0xffffffff80ac49c7 <rt_newmaddrmsg+39>:    mov    0x28(%rax),%rax
0xffffffff80ac49cb <rt_newmaddrmsg+43>:    cmpl   $0x0,-0x7e9fdc20(%rax)
0xffffffff80ac49d5 <rt_newmaddrmsg+53>:    je     0xffffffff80ac4a52
<rt_newmaddrmsg+178>
0xffffffff80ac49d7 <rt_newmaddrmsg+55>:    lea    -0x88(%rbp),%rdi
0xffffffff80ac49de <rt_newmaddrmsg+62>:    mov    $0x70,%esi
0xffffffff80ac49e3 <rt_newmaddrmsg+67>:    callq  0xffffffff80e3acb0 <bzero>
0xffffffff80ac49e8 <rt_newmaddrmsg+72>:    mov    0x10(%rbx),%rax
0xffffffff80ac49ec <rt_newmaddrmsg+76>:    mov    %rax,-0x58(%rbp)
0xffffffff80ac49f0 <rt_newmaddrmsg+80>:    xor    %eax,%eax
0xffffffff80ac49f2 <rt_newmaddrmsg+82>:    test   %r15,%r15
0xffffffff80ac49f5 <rt_newmaddrmsg+85>:    je     0xffffffff80ac4a01
<rt_newmaddrmsg+97>
0xffffffff80ac49f7 <rt_newmaddrmsg+87>:    mov    0x1d8(%r15),%rax
0xffffffff80ac49fe <rt_newmaddrmsg+94>:    mov    (%rax),%rax
0xffffffff80ac4a01 <rt_newmaddrmsg+97>:    mov    %rax,-0x60(%rbp)
0xffffffff80ac4a05 <rt_newmaddrmsg+101>:    mov    0x18(%rbx),%rax
0xffffffff80ac4a09 <rt_newmaddrmsg+105>:    mov    %rax,-0x78(%rbp)
0xffffffff80ac4a0d <rt_newmaddrmsg+109>:    lea    -0x88(%rbp),%rsi
0xffffffff80ac4a14 <rt_newmaddrmsg+116>:    mov    %r14d,%edi
0xffffffff80ac4a17 <rt_newmaddrmsg+119>:    callq  0xffffffff80ac42e0
<rtsock_msg_mbuf>
0xffffffff80ac4a1c <rt_newmaddrmsg+124>:    test   %rax,%rax
0xffffffff80ac4a1f <rt_newmaddrmsg+127>:    je     0xffffffff80ac4a52
<rt_newmaddrmsg+178>
0xffffffff80ac4a21 <rt_newmaddrmsg+129>:    mov    0x10(%rax),%rcx
0xffffffff80ac4a25 <rt_newmaddrmsg+133>:    mov    0x5c(%r15),%dx
0xffffffff80ac4a2a <rt_newmaddrmsg+138>:    mov    %dx,0xc(%rcx)
0xffffffff80ac4a2e <rt_newmaddrmsg+142>:    mov    -0x88(%rbp),%edx
0xffffffff80ac4a34 <rt_newmaddrmsg+148>:    mov    %edx,0x4(%rcx)
0xffffffff80ac4a37 <rt_newmaddrmsg+151>:    mov    0x10(%rbx),%rcx
0xffffffff80ac4a3b <rt_newmaddrmsg+155>:    test   %rcx,%rcx
0xffffffff80ac4a3e <rt_newmaddrmsg+158>:    je     0xffffffff80ac4a45
<rt_newmaddrmsg+165>
0xffffffff80ac4a40 <rt_newmaddrmsg+160>:    mov    0x1(%rcx),%cl
0xffffffff80ac4a43 <rt_newmaddrmsg+163>:    jmp    0xffffffff80ac4a47
<rt_newmaddrmsg+167>
0xffffffff80ac4a45 <rt_newmaddrmsg+165>:    xor    %ecx,%ecx
0xffffffff80ac4a47 <rt_newmaddrmsg+167>:    movzbl %cl,%esi
---Type <return> to continue, or q <return> to quit---
0xffffffff80ac4a4a <rt_newmaddrmsg+170>:    mov    %rax,%rdi
0xffffffff80ac4a4d <rt_newmaddrmsg+173>:    callq  0xffffffff80ac44a0
<rt_dispatch>
0xffffffff80ac4a52 <rt_newmaddrmsg+178>:    add    $0x78,%rsp
0xffffffff80ac4a56 <rt_newmaddrmsg+182>:    pop    %rbx
0xffffffff80ac4a57 <rt_newmaddrmsg+183>:    pop    %r14
0xffffffff80ac4a59 <rt_newmaddrmsg+185>:    pop    %r15
0xffffffff80ac4a5b <rt_newmaddrmsg+187>:    pop    %rbp
0xffffffff80ac4a5c <rt_newmaddrmsg+188>:    retq   
End of assembler dump.

-- 
You are receiving this mail because:
You are the assignee for the bug.