From owner-freebsd-bugs@freebsd.org  Tue Mar 10 01:05:29 2020
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7F5932524A1
 for <freebsd-bugs@mailman.nyi.freebsd.org>;
 Tue, 10 Mar 2020 01:05:29 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 48bxj52p4Vz4TQQ
 for <freebsd-bugs@freebsd.org>; Tue, 10 Mar 2020 01:05:29 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 5DFA12524A0; Tue, 10 Mar 2020 01:05:29 +0000 (UTC)
Delivered-To: bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5A55425249F
 for <bugs@mailman.nyi.freebsd.org>; Tue, 10 Mar 2020 01:05:29 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48bxj51b3hz4TQN
 for <bugs@FreeBSD.org>; Tue, 10 Mar 2020 01:05:29 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2E07C1B8F5
 for <bugs@FreeBSD.org>; Tue, 10 Mar 2020 01:05:29 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 02A15Tvu066834
 for <bugs@FreeBSD.org>; Tue, 10 Mar 2020 01:05:29 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 02A15TAp066833
 for bugs@FreeBSD.org; Tue, 10 Mar 2020 01:05:29 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 244706] [panic] NULL dereference inside __mtx_lock_sleep()
Date: Tue, 10 Mar 2020 01:05:28 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.3-STABLE
X-Bugzilla-Keywords: panic
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: eugen@freebsd.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status keywords bug_severity priority component assigned_to
 reporter cc
Message-ID: <bug-244706-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 01:05:29 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D244706

            Bug ID: 244706
           Summary: [panic] NULL dereference inside __mtx_lock_sleep()
           Product: Base System
           Version: 11.3-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Keywords: panic
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: eugen@freebsd.org
                CC: kib@FreeBSD.org

I observe very seldom kernel panics of my home router that runs FreeBSD
11.3-STABLE/amd64 r356315, once per several months. It paniced again today =
and
I've got nice crashdump.

The router uses custom kernel with following config file:

include         GENERIC
ident           GW
options         DDB
options         DDB_NUMSYM
options         ALT_BREAK_TO_DEBUGGER
#EOF

The router processes several IPSec tunnels and some volume of fragmented ESP
packets. The router uses ipfw and it has the following rule:

reass ip from any to any in { recv ng0 or recv em0 or recv wlan* }

kgdb session follows:

Unread portion of the kernel message buffer:


__curthread () at ./machine/pcpu.h:234
234             __asm("movq %%gs:%1,%0" : "=3Dr" (td)
(kgdb) bt
#0  __curthread () at ./machine/pcpu.h:234
#1  doadump (textdump=3D1) at /usr/src/sys/kern/kern_shutdown.c:320
#2  0xffffffff80b2212d in kern_reboot (howto=3D260)
    at /usr/src/sys/kern/kern_shutdown.c:388
#3  0xffffffff80b22578 in vpanic (fmt=3D<optimized out>, ap=3D0xfffffe022b5=
ed470)
    at /usr/src/sys/kern/kern_shutdown.c:784
#4  0xffffffff80b223b3 in panic (fmt=3D<unavailable>)
    at /usr/src/sys/kern/kern_shutdown.c:715
#5  0xffffffff80fb8d00 in trap_fatal (frame=3D0xfffffe022b5ed660, eva=3D952)
    at /usr/src/sys/amd64/amd64/trap.c:899
#6  0xffffffff80fb8d49 in trap_pfault (frame=3D0xfffffe022b5ed660, usermode=
=3D0)
    at /usr/src/sys/amd64/amd64/trap.c:744
#7  0xffffffff80fb83dd in trap (frame=3D0xfffffe022b5ed660)
    at /usr/src/sys/amd64/amd64/trap.c:438
#8  <signal handler called>
#9  __mtx_lock_sleep (c=3D0xffffffff81e57188 <ipq+45624>, v=3D<optimized ou=
t>)
    at /usr/src/sys/kern/kern_mutex.c:563
#10 0xffffffff80ca1078 in ipreass_slowtimo ()
    at /usr/src/sys/netinet/ip_reass.c:573
#11 0xffffffff80baa504 in pfslowtimo (arg=3D0xffffffff81e57188 <ipq+45624>)
    at /usr/src/sys/kern/uipc_domain.c:506
#12 0xffffffff80b3acbf in softclock_call_cc (
--Type <RET> for more, q to quit, c to continue without paging--c
    c=3D0xffffffff81e46200 <pfslow_callout>, cc=3D0xffffffff81efe000 <cc_cp=
u>,
direct=3D0) at /usr/src/sys/kern/kern_timeout.c:729
#13 0xffffffff80b3b1b9 in softclock (arg=3D0xffffffff81efe000 <cc_cpu>) at
/usr/src/sys/kern/kern_timeout.c:867
#14 0xffffffff80ae7119 in intr_event_execute_handlers (p=3D<optimized out>,
ie=3D0xfffff80005240200) at /usr/src/sys/kern/kern_intr.c:1346
#15 0xffffffff80ae7807 in ithread_execute_handlers (p=3D<optimized out>,
ie=3D<optimized out>) at /usr/src/sys/kern/kern_intr.c:1359
#16 ithread_loop (arg=3D0xfffff80005226680) at /usr/src/sys/kern/kern_intr.=
c:1440
#17 0xffffffff80ae44c3 in fork_exit (callout=3D0xffffffff80ae7720 <ithread_=
loop>,
arg=3D0xfffff80005226680, frame=3D0xfffffe022b5ed9c0) at
/usr/src/sys/kern/kern_fork.c:1086
#18 <signal handler called>
(kgdb) frame 10
#10 0xffffffff80ca1078 in ipreass_slowtimo ()
    at /usr/src/sys/netinet/ip_reass.c:573
573                     IPQ_LOCK(i);
(kgdb) l
568     ipreass_slowtimo(void)
569     {
570             struct ipq *fp, *tmp;
571
572             for (int i =3D 0; i < IPREASS_NHASH; i++) {
573                     IPQ_LOCK(i);
574                     TAILQ_FOREACH_SAFE(fp, &V_ipq[i].head, ipq_list, tm=
p)
575                     if (--fp->ipq_ttl =3D=3D 0)
576                                     ipq_timeout(&V_ipq[i], fp);
577                     IPQ_UNLOCK(i);
(kgdb) p i
$1 =3D 814
(kgdb) frame 9
#9  __mtx_lock_sleep (c=3D0xffffffff81e57188 <ipq+45624>, v=3D<optimized ou=
t>)
    at /usr/src/sys/kern/kern_mutex.c:563
563                     if (TD_IS_RUNNING(owner)) {
(kgdb) l
558                     /*
559                      * If the owner is running on another CPU, spin unt=
il
the
560                      * owner stops running or the state of the lock
changes.
561                      */
562                     owner =3D lv_mtx_owner(v);
563                     if (TD_IS_RUNNING(owner)) {
564                             if (LOCK_LOG_TEST(&m->lock_object, 0))
565                                     CTR3(KTR_LOCK,
566                                         "%s: spinning on %p held by %p",
567                                         __func__, m, owner);
(kgdb) p ipq[45624]
$2 =3D {head =3D {tqh_first =3D 0xffffffff80b1d0c0 <_rm_wlock>, tqh_last =
=3D 0x2fb},
  lock =3D {lock_object =3D {
      lo_name =3D 0x5001200125dd1 <error: Cannot access memory at address
0x5001200125dd1>, lo_flags =3D 2155235392, lo_data =3D 4294967295, lo_witne=
ss =3D
0x5eb},
    mtx_lock =3D 1407452194168295}, count =3D -2139146832}
(kgdb) p owner
$3 =3D (struct thread *) 0x0
(kgdb) p *m
$4 =3D {lock_object =3D {lo_name =3D 0xffffffff81567e78 "IP reassembly",
    lo_flags =3D 21168128, lo_data =3D 0, lo_witness =3D 0x0}, mtx_lock =3D=
 2}
(kgdb) p v
$5 =3D <optimized out>
(kgdb) quit

--=20
You are receiving this mail because:
You are the assignee for the bug.=