FreeBSD Mail Archives

Date:      Thu, 08 Nov 2018 17:58:27 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 227720] Kernel panic in ppp server
Message-ID:  <bug-227720-7501-Y1FBtfDrtx@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-227720-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-227720-7501@https.bugs.freebsd.org/bugzilla/>

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D227720

--- Comment #37 from Franck Rousseau <Franck.Rousseau@imag.fr> ---
Thanks for the fast reply! Not sure if I continue here or in bug #230498 but
since this is still related to PPP, I put it here.

I only had 15 min to test, but it crashed right away on the first try. Here=
 is
the procedure:
- setup PC3: configure address on Ethernet interface;
- setup PC2: configure address on Ethernet interface, add ARP pub entry,
activate forwarding, start ppp server and wait for connection;
- setup PC3: start pinging PC3, obviously it fails, start ppp client and op=
en
connection, add default route, everything works correctly.
Leave everything running as it is, then quit ppp on both sides, restart the
server waiting for the connection, connect from client -> crash on PC2.

Here is the trace, it crashes one call further line rtsock.c:1559 after the
patch

        info.rti_info[RTAX_GENMASK] =3D 0;
        if (rt->rt_ifp) {
-               info.rti_info[RTAX_IFP] =3D rt->rt_ifp->if_addr->ifa_addr;
+               IF_ADDR_RLOCK(rt->rt_ifp);
+               if (rt->rt_ifp->if_addr !=3D NULL)
+                       info.rti_info[RTAX_IFP] =3D
rt->rt_ifp->if_addr->ifa_addr;
                info.rti_info[RTAX_IFA] =3D rt->rt_ifa->ifa_addr;

I also add a somewhat tidied up version of the (struct ifnet *)

(kgdb) bt
#0  doadump (textdump=3D<value optimized out>) at pcpu.h:229
#1  0xffffffff80af673b in kern_reboot (howto=3D260) at
/usr/src/sys/kern/kern_shutdown.c:383
#2  0xffffffff80af6b61 in vpanic (fmt=3D<value optimized out>, ap=3D<value
optimized out>) at /usr/src/sys/kern/kern_shutdown.c:776
#3  0xffffffff80af69a3 in panic (fmt=3D<value optimized out>) at
/usr/src/sys/kern/kern_shutdown.c:707
#4  0xffffffff80f77fdf in trap_fatal (frame=3D0xfffffe0468486290, eva=3D120=
8) at
/usr/src/sys/amd64/amd64/trap.c:875
#5  0xffffffff80f78039 in trap_pfault (frame=3D0xfffffe0468486290, usermode=
=3D0) at
pcpu.h:229
#6  0xffffffff80f77807 in trap (frame=3D0xfffffe0468486290) at
/usr/src/sys/amd64/amd64/trap.c:415
#7  0xffffffff80f57fdc in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:231
#8  0xffffffff80af2893 in __rw_rlock_hard (rw=3D0xfffff800be4bc990,
td=3D0xfffff80105056620, v=3D<value optimized out>) at
/usr/src/sys/kern/kern_rwlock.c:493
#9  0xffffffff80c0ce9b in sysctl_dumpentry (rn=3D0xfffff80008e74270,
vw=3D0xfffffe0468486690) at /usr/src/sys/net/rtsock.c:1559
#10 0xffffffff80c07aa0 in rn_walktree (h=3D<value optimized out>, f=3D<value
optimized out>, w=3D<value optimized out>) at /usr/src/sys/net/radix.c:1094
#11 0xffffffff80c0c7ff in sysctl_rtsock (oidp=3D<value optimized out>,
arg1=3D<value optimized out>, arg2=3D<value optimized out>, req=3D<value op=
timized
out>) at /usr/src/sys/net/rtsock.c:1919
#12 0xffffffff80b03ccb in sysctl_root_handler_locked (oid=3D0xffffffff81a33=
f38,
arg1=3D0xfffffe0468486908, arg2=3D4, req=3D0xfffffe0468486840,
tracker=3D0xfffffe04684867b8) at /usr/src/sys/kern/kern_sysctl.c:165
#13 0xffffffff80b03521 in sysctl_root (arg1=3D0xfffffe0468486908, arg2=3D4)=
 at
/usr/src/sys/kern/kern_sysctl.c:1915
#14 0xffffffff80b03a46 in userland_sysctl (td=3D<value optimized out>,
name=3D0xfffffe0468486900, namelen=3D6, old=3D0x0, oldlenp=3D<value optimiz=
ed out>,
inkernel=3D<value optimized out>, new=3D0x0, newlen=3D0, retval=3D0xfffffe0=
468486968,
flags=3D0) at /usr/src/sys/kern/kern_sysctl.c:2011
#15 0xffffffff80b038cf in sys___sysctl (td=3D0xfffff80105056620,
uap=3D0xfffff80105056b58) at /usr/src/sys/kern/kern_sysctl.c:1945
#16 0xffffffff80f79068 in amd64_syscall (td=3D0xfffff80105056620, traced=3D=
0) at
subr_syscall.c:132
#17 0xffffffff80f5882d in fast_syscall_common () at
/usr/src/sys/amd64/amd64/exception.S:479
#18 0x0000000801de047a in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language:  auto; currently minimal
(kgdb) f 8
#8  0xffffffff80af2893 in __rw_rlock_hard (rw=3D0xfffff800be4bc990,
td=3D0xfffff80105056620, v=3D<value optimized out>) at
/usr/src/sys/kern/kern_rwlock.c:493
493                             owner =3D (struct thread *)RW_OWNER(v);
Current language:  auto; currently minimal
(kgdb) f 9
#9  0xffffffff80c0ce9b in sysctl_dumpentry (rn=3D0xfffff80008e74270,
vw=3D0xfffffe0468486690) at /usr/src/sys/net/rtsock.c:1559
1559                    IF_ADDR_RLOCK(rt->rt_ifp);
(kgdb) p rt->rt_ifp->if_addr_lock
$1 =3D {lock_object =3D {lo_name =3D 0xfffff800be4bc9f0 "P?K?", lo_flags =3D
3192637744, lo_data =3D 4294965248, lo_witness =3D 0xfffff80007085848}, rw_=
lock =3D
256}
(kgdb) p rt->rt_ifp->if_addr->ifa_addr
Cannot access memory at address 0x3700000018
(kgdb) p *rt->rt_ifp
$2 =3D {
    if_link =3D { tqe_next =3D 0xfffff800be9c9210, tqe_prev =3D 0xfffff800b=
e9c9000 },
    if_clones =3D { le_next =3D 0xfffff800be4bc870, le_prev =3D 0xfffff800b=
e4bcb70 },=20
    if_groups =3D { tqh_first =3D 0xfffff800be9c9048, tqh_last =3D 0x100 },
    if_alloctype =3D 0 '\0',
    if_softc =3D 0xfffff800be9c9000,
    if_llsoftc =3D 0x3e50000,=20
    if_l2com =3D 0x400000004,
    if_dname =3D 0x0,
    if_dunit =3D 51,
    if_index =3D 36,
    if_index_reserved =3D 0,
    if_xname =3D 0xfffff800be4bc860 "\020>y\b",=20
    if_description =3D 0xfffff800be4bc8d0 "0?K?",
    if_flags =3D -1102329840,
    if_drv_flags =3D -2048,
    if_capabilities =3D 142163016,
    if_capenable =3D -2048,
    if_linkmib =3D 0x100,=20
    if_linkmiblen =3D 0,
    if_refcount =3D 142162944,
    if_type =3D 0 '\0',
    if_addrlen =3D 248 '?',
    if_hdrlen =3D 255 '?',
    if_link_state =3D 255 '?',
    if_mtu =3D 1078468608,=20
    if_metric =3D 0,
    if_baudrate =3D 2,
    if_hwassist =3D 0,
    if_epoch =3D 90194313239,
    if_lastchange =3D { tv_sec =3D -8796001543664, tv_usec =3D -87960015441=
92 },
    if_snd =3D {  ifq_head =3D 0xfffff800be4bc930,
                ifq_tail =3D 0xfffff800be4bc870,
                ifq_len =3D 91478088, ifq_maxlen =3D -2048,
                ifq_mtx =3D { lock_object =3D { lo_name =3D 0x100 <Address =
0x100 out
of bounds>,
                                            lo_flags =3D 0,
                                            lo_data =3D 0,
                                            lo_witness =3D 0xfffff8000573d8=
00},
                            mtx_lock =3D 1079562240
                          },
                ifq_drv_head =3D 0x2,=20
                ifq_drv_tail =3D 0x0,
                ifq_drv_len =3D 149,
                ifq_drv_maxlen =3D 21,
                altq_type =3D 141323792,
                altq_flags =3D -2048,
                altq_disc =3D 0xfffff800086c6c00,=20
                altq_ifp =3D 0xfffff800be4bc990,
                altq_enqueue =3D 0xfffff800be4bc8d0,
                altq_dequeue =3D 0xfffff800086c6c48,
                altq_request =3D 0x100, altq_clfier =3D 0x0,=20
                altq_classify =3D 0xfffff800086c6c00,
                altq_tbr =3D 0x84a000,
                altq_cdnr =3D 0x4
             },
    if_linktask =3D { ta_link =3D { stqe_next =3D 0x0},
                                ta_pending =3D 6,
                                ta_priority =3D 0,=20
                                ta_func =3D 0xfffff80007085a10,
                                ta_context =3D 0xfffff80007085800
                  },
    if_addr_lock =3D {    lock_object =3D { lo_name =3D 0xfffff800be4bc9f0 =
"P?K?",
                                        lo_flags =3D 3192637744,
                                        lo_data =3D 4294965248,
                                        lo_witness =3D 0xfffff80007085848
                                      },
                        rw_lock =3D 256
                   },
    if_addrhead =3D { tqh_first =3D 0x0, tqh_last =3D 0xfffff80007085800 },
    if_multiaddrs =3D { tqh_first =3D 0xf7d000, tqh_last =3D 0x4 },
    if_amcount =3D 0,
    if_addr =3D 0x3700000018,
    if_broadcastaddr =3D 0xfffff80007090a10 "\001",
    if_afdata_lock =3D {  lock_object =3D { lo_name =3D 0xfffff80007090800 =
"",
                                        lo_flags =3D 3192638032,
                                        lo_data =3D 4294965248,
                                        lo_witness =3D 0xfffff800be4bc990
                                      },
                        rw_lock =3D 18446735277734561864
                      },=20
    if_afdata =3D 0xfffff800be4bca08,
    if_afdata_initialized =3D 63,
    if_fib =3D 55,
    if_vnet =3D 0xfffff800be3dd610,
    if_home_vnet =3D 0xfffff800be3dd400,=20
    if_vlantrunk =3D 0xfffff800be4bc810,
    if_bpf =3D 0xfffff800be4bccf0,
    if_pcount =3D -1103244216,
    if_bridge =3D 0x100,
    if_lagg =3D 0x0,
    if_pf_kif =3D 0xfffff800be3dd400,=20
    if_carp =3D 0x220a000,
    if_label =3D 0x400000004,
    if_netmap =3D 0x0,
    if_output =3D 0x2400000039,
    if_input =3D 0xfffff80007075a10,
    if_start =3D 0xfffff80007075800,=20
    if_ioctl =3D 0xfffff800be4bcc30,
    if_init =3D 0xfffff800be4bcb10,
    if_resolvemulti =3D 0xfffff80007075848,
    if_qflush =3D 0x100, if_transmit =3D 0,=20
    if_reassign =3D 0xfffff80007075800,
    if_get_counter =3D 0x40460000,
    if_requestencap =3D 0x2,
    if_counters =3D 0xfffff800be4bcc10,
    if_hw_tsomax =3D 0,=20
    if_hw_tsomaxsegcount =3D 0,
    if_hw_tsomaxsegsize =3D 17,
    if_pspare =3D 0xfffff800be4bcc80,
    if_hw_addr =3D 0xfffff800be4bcc30,
    if_pcp =3D 72 'H',=20
    if_bspare =3D 0xfffff800be4bcca1 "?\b\a",
    if_ispare =3D 0xfffff800be4bcca4
}

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-227720-7501-Y1FBtfDrtx>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation