Date: Tue, 10 Mar 2020 01:05:28 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 244706] [panic] NULL dereference inside __mtx_lock_sleep() Message-ID: <bug-244706-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D244706 Bug ID: 244706 Summary: [panic] NULL dereference inside __mtx_lock_sleep() Product: Base System Version: 11.3-STABLE Hardware: Any OS: Any Status: New Keywords: panic Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: eugen@freebsd.org CC: kib@FreeBSD.org I observe very seldom kernel panics of my home router that runs FreeBSD 11.3-STABLE/amd64 r356315, once per several months. It paniced again today = and I've got nice crashdump. The router uses custom kernel with following config file: include GENERIC ident GW options DDB options DDB_NUMSYM options ALT_BREAK_TO_DEBUGGER #EOF The router processes several IPSec tunnels and some volume of fragmented ESP packets. The router uses ipfw and it has the following rule: reass ip from any to any in { recv ng0 or recv em0 or recv wlan* } kgdb session follows: Unread portion of the kernel message buffer: __curthread () at ./machine/pcpu.h:234 234 __asm("movq %%gs:%1,%0" : "=3Dr" (td) (kgdb) bt #0 __curthread () at ./machine/pcpu.h:234 #1 doadump (textdump=3D1) at /usr/src/sys/kern/kern_shutdown.c:320 #2 0xffffffff80b2212d in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:388 #3 0xffffffff80b22578 in vpanic (fmt=3D<optimized out>, ap=3D0xfffffe022b5= ed470) at /usr/src/sys/kern/kern_shutdown.c:784 #4 0xffffffff80b223b3 in panic (fmt=3D<unavailable>) at /usr/src/sys/kern/kern_shutdown.c:715 #5 0xffffffff80fb8d00 in trap_fatal (frame=3D0xfffffe022b5ed660, eva=3D952) at /usr/src/sys/amd64/amd64/trap.c:899 #6 0xffffffff80fb8d49 in trap_pfault (frame=3D0xfffffe022b5ed660, usermode= =3D0) at /usr/src/sys/amd64/amd64/trap.c:744 #7 0xffffffff80fb83dd in trap (frame=3D0xfffffe022b5ed660) at /usr/src/sys/amd64/amd64/trap.c:438 #8 <signal handler called> #9 __mtx_lock_sleep (c=3D0xffffffff81e57188 <ipq+45624>, v=3D<optimized ou= t>) at /usr/src/sys/kern/kern_mutex.c:563 #10 0xffffffff80ca1078 in ipreass_slowtimo () at /usr/src/sys/netinet/ip_reass.c:573 #11 0xffffffff80baa504 in pfslowtimo (arg=3D0xffffffff81e57188 <ipq+45624>) at /usr/src/sys/kern/uipc_domain.c:506 #12 0xffffffff80b3acbf in softclock_call_cc ( --Type <RET> for more, q to quit, c to continue without paging--c c=3D0xffffffff81e46200 <pfslow_callout>, cc=3D0xffffffff81efe000 <cc_cp= u>, direct=3D0) at /usr/src/sys/kern/kern_timeout.c:729 #13 0xffffffff80b3b1b9 in softclock (arg=3D0xffffffff81efe000 <cc_cpu>) at /usr/src/sys/kern/kern_timeout.c:867 #14 0xffffffff80ae7119 in intr_event_execute_handlers (p=3D<optimized out>, ie=3D0xfffff80005240200) at /usr/src/sys/kern/kern_intr.c:1346 #15 0xffffffff80ae7807 in ithread_execute_handlers (p=3D<optimized out>, ie=3D<optimized out>) at /usr/src/sys/kern/kern_intr.c:1359 #16 ithread_loop (arg=3D0xfffff80005226680) at /usr/src/sys/kern/kern_intr.= c:1440 #17 0xffffffff80ae44c3 in fork_exit (callout=3D0xffffffff80ae7720 <ithread_= loop>, arg=3D0xfffff80005226680, frame=3D0xfffffe022b5ed9c0) at /usr/src/sys/kern/kern_fork.c:1086 #18 <signal handler called> (kgdb) frame 10 #10 0xffffffff80ca1078 in ipreass_slowtimo () at /usr/src/sys/netinet/ip_reass.c:573 573 IPQ_LOCK(i); (kgdb) l 568 ipreass_slowtimo(void) 569 { 570 struct ipq *fp, *tmp; 571 572 for (int i =3D 0; i < IPREASS_NHASH; i++) { 573 IPQ_LOCK(i); 574 TAILQ_FOREACH_SAFE(fp, &V_ipq[i].head, ipq_list, tm= p) 575 if (--fp->ipq_ttl =3D=3D 0) 576 ipq_timeout(&V_ipq[i], fp); 577 IPQ_UNLOCK(i); (kgdb) p i $1 =3D 814 (kgdb) frame 9 #9 __mtx_lock_sleep (c=3D0xffffffff81e57188 <ipq+45624>, v=3D<optimized ou= t>) at /usr/src/sys/kern/kern_mutex.c:563 563 if (TD_IS_RUNNING(owner)) { (kgdb) l 558 /* 559 * If the owner is running on another CPU, spin unt= il the 560 * owner stops running or the state of the lock changes. 561 */ 562 owner =3D lv_mtx_owner(v); 563 if (TD_IS_RUNNING(owner)) { 564 if (LOCK_LOG_TEST(&m->lock_object, 0)) 565 CTR3(KTR_LOCK, 566 "%s: spinning on %p held by %p", 567 __func__, m, owner); (kgdb) p ipq[45624] $2 =3D {head =3D {tqh_first =3D 0xffffffff80b1d0c0 <_rm_wlock>, tqh_last = =3D 0x2fb}, lock =3D {lock_object =3D { lo_name =3D 0x5001200125dd1 <error: Cannot access memory at address 0x5001200125dd1>, lo_flags =3D 2155235392, lo_data =3D 4294967295, lo_witne= ss =3D 0x5eb}, mtx_lock =3D 1407452194168295}, count =3D -2139146832} (kgdb) p owner $3 =3D (struct thread *) 0x0 (kgdb) p *m $4 =3D {lock_object =3D {lo_name =3D 0xffffffff81567e78 "IP reassembly", lo_flags =3D 21168128, lo_data =3D 0, lo_witness =3D 0x0}, mtx_lock =3D= 2} (kgdb) p v $5 =3D <optimized out> (kgdb) quit --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-244706-227>