From owner-freebsd-net@freebsd.org Thu Nov 8 17:58:30 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7A7A311326A8 for ; Thu, 8 Nov 2018 17:58:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id EAA218A56E for ; Thu, 8 Nov 2018 17:58:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id AF05F11326A7; Thu, 8 Nov 2018 17:58:29 +0000 (UTC) Delivered-To: net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D07611326A6 for ; Thu, 8 Nov 2018 17:58:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B97218A568 for ; Thu, 8 Nov 2018 17:58:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id D3D4C74D6 for ; Thu, 8 Nov 2018 17:58:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id wA8HwRZx042085 for ; Thu, 8 Nov 2018 17:58:27 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id wA8HwRD2042084 for net@FreeBSD.org; Thu, 8 Nov 2018 17:58:27 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 227720] Kernel panic in ppp server Date: Thu, 08 Nov 2018 17:58:27 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: Franck.Rousseau@imag.fr X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: mfc-stable11? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Rspamd-Queue-Id: EAA218A56E X-Spamd-Result: default: False [-105.81 / 200.00]; FORGED_RECIPIENTS_FORWARDING(0.00)[]; ALLOW_DOMAIN_WHITELIST(-100.00)[freebsd.org]; FORWARDED(0.00)[net@mailman.ysv.freebsd.org]; SPF_FAIL_FORWARDING(0.00)[]; TO_DN_NONE(0.00)[]; HAS_XAW(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; XAW_SERVICE_ACCT(1.00)[]; RCVD_IN_DNSWL_MED(-0.20)[5.0.0.0.0.5.0.0.0.0.0.0.0.0.0.0.a.6.0.2.4.5.2.2.0.0.9.1.1.0.0.2.list.dnswl.org : 127.0.9.2]; MX_GOOD(-0.01)[cached: mx66.freebsd.org]; NEURAL_HAM_SHORT(-1.00)[-0.996,0]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; IP_SCORE(-3.60)[ip: (-9.76), ipnet: 2001:1900:2254::/48(-4.62), asn: 10310(-3.54), country: US(-0.09)]; ASN(0.00)[asn:10310, ipnet:2001:1900:2254::/48, country:US]; FORGED_RECIPIENTS(0.00)[net@FreeBSD.org,freebsd-net@freebsd.org]; TO_DOM_EQ_FROM_DOM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; FROM_NO_DN(0.00)[]; RCVD_COUNT_SEVEN(0.00)[7] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Nov 2018 17:58:30 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D227720 --- Comment #37 from Franck Rousseau --- Thanks for the fast reply! Not sure if I continue here or in bug #230498 but since this is still related to PPP, I put it here. I only had 15 min to test, but it crashed right away on the first try. Here= is the procedure: - setup PC3: configure address on Ethernet interface; - setup PC2: configure address on Ethernet interface, add ARP pub entry, activate forwarding, start ppp server and wait for connection; - setup PC3: start pinging PC3, obviously it fails, start ppp client and op= en connection, add default route, everything works correctly. Leave everything running as it is, then quit ppp on both sides, restart the server waiting for the connection, connect from client -> crash on PC2. Here is the trace, it crashes one call further line rtsock.c:1559 after the patch info.rti_info[RTAX_GENMASK] =3D 0; if (rt->rt_ifp) { - info.rti_info[RTAX_IFP] =3D rt->rt_ifp->if_addr->ifa_addr; + IF_ADDR_RLOCK(rt->rt_ifp); + if (rt->rt_ifp->if_addr !=3D NULL) + info.rti_info[RTAX_IFP] =3D rt->rt_ifp->if_addr->ifa_addr; info.rti_info[RTAX_IFA] =3D rt->rt_ifa->ifa_addr; I also add a somewhat tidied up version of the (struct ifnet *) (kgdb) bt #0 doadump (textdump=3D) at pcpu.h:229 #1 0xffffffff80af673b in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:383 #2 0xffffffff80af6b61 in vpanic (fmt=3D, ap=3D) at /usr/src/sys/kern/kern_shutdown.c:776 #3 0xffffffff80af69a3 in panic (fmt=3D) at /usr/src/sys/kern/kern_shutdown.c:707 #4 0xffffffff80f77fdf in trap_fatal (frame=3D0xfffffe0468486290, eva=3D120= 8) at /usr/src/sys/amd64/amd64/trap.c:875 #5 0xffffffff80f78039 in trap_pfault (frame=3D0xfffffe0468486290, usermode= =3D0) at pcpu.h:229 #6 0xffffffff80f77807 in trap (frame=3D0xfffffe0468486290) at /usr/src/sys/amd64/amd64/trap.c:415 #7 0xffffffff80f57fdc in calltrap () at /usr/src/sys/amd64/amd64/exception.S:231 #8 0xffffffff80af2893 in __rw_rlock_hard (rw=3D0xfffff800be4bc990, td=3D0xfffff80105056620, v=3D) at /usr/src/sys/kern/kern_rwlock.c:493 #9 0xffffffff80c0ce9b in sysctl_dumpentry (rn=3D0xfffff80008e74270, vw=3D0xfffffe0468486690) at /usr/src/sys/net/rtsock.c:1559 #10 0xffffffff80c07aa0 in rn_walktree (h=3D, f=3D, w=3D) at /usr/src/sys/net/radix.c:1094 #11 0xffffffff80c0c7ff in sysctl_rtsock (oidp=3D, arg1=3D, arg2=3D, req=3D) at /usr/src/sys/net/rtsock.c:1919 #12 0xffffffff80b03ccb in sysctl_root_handler_locked (oid=3D0xffffffff81a33= f38, arg1=3D0xfffffe0468486908, arg2=3D4, req=3D0xfffffe0468486840, tracker=3D0xfffffe04684867b8) at /usr/src/sys/kern/kern_sysctl.c:165 #13 0xffffffff80b03521 in sysctl_root (arg1=3D0xfffffe0468486908, arg2=3D4)= at /usr/src/sys/kern/kern_sysctl.c:1915 #14 0xffffffff80b03a46 in userland_sysctl (td=3D, name=3D0xfffffe0468486900, namelen=3D6, old=3D0x0, oldlenp=3D, inkernel=3D, new=3D0x0, newlen=3D0, retval=3D0xfffffe0= 468486968, flags=3D0) at /usr/src/sys/kern/kern_sysctl.c:2011 #15 0xffffffff80b038cf in sys___sysctl (td=3D0xfffff80105056620, uap=3D0xfffff80105056b58) at /usr/src/sys/kern/kern_sysctl.c:1945 #16 0xffffffff80f79068 in amd64_syscall (td=3D0xfffff80105056620, traced=3D= 0) at subr_syscall.c:132 #17 0xffffffff80f5882d in fast_syscall_common () at /usr/src/sys/amd64/amd64/exception.S:479 #18 0x0000000801de047a in ?? () Previous frame inner to this frame (corrupt stack?) Current language: auto; currently minimal (kgdb) f 8 #8 0xffffffff80af2893 in __rw_rlock_hard (rw=3D0xfffff800be4bc990, td=3D0xfffff80105056620, v=3D) at /usr/src/sys/kern/kern_rwlock.c:493 493 owner =3D (struct thread *)RW_OWNER(v); Current language: auto; currently minimal (kgdb) f 9 #9 0xffffffff80c0ce9b in sysctl_dumpentry (rn=3D0xfffff80008e74270, vw=3D0xfffffe0468486690) at /usr/src/sys/net/rtsock.c:1559 1559 IF_ADDR_RLOCK(rt->rt_ifp); (kgdb) p rt->rt_ifp->if_addr_lock $1 =3D {lock_object =3D {lo_name =3D 0xfffff800be4bc9f0 "P?K?", lo_flags =3D 3192637744, lo_data =3D 4294965248, lo_witness =3D 0xfffff80007085848}, rw_= lock =3D 256} (kgdb) p rt->rt_ifp->if_addr->ifa_addr Cannot access memory at address 0x3700000018 (kgdb) p *rt->rt_ifp $2 =3D { if_link =3D { tqe_next =3D 0xfffff800be9c9210, tqe_prev =3D 0xfffff800b= e9c9000 }, if_clones =3D { le_next =3D 0xfffff800be4bc870, le_prev =3D 0xfffff800b= e4bcb70 },=20 if_groups =3D { tqh_first =3D 0xfffff800be9c9048, tqh_last =3D 0x100 }, if_alloctype =3D 0 '\0', if_softc =3D 0xfffff800be9c9000, if_llsoftc =3D 0x3e50000,=20 if_l2com =3D 0x400000004, if_dname =3D 0x0, if_dunit =3D 51, if_index =3D 36, if_index_reserved =3D 0, if_xname =3D 0xfffff800be4bc860 "\020>y\b",=20 if_description =3D 0xfffff800be4bc8d0 "0?K?", if_flags =3D -1102329840, if_drv_flags =3D -2048, if_capabilities =3D 142163016, if_capenable =3D -2048, if_linkmib =3D 0x100,=20 if_linkmiblen =3D 0, if_refcount =3D 142162944, if_type =3D 0 '\0', if_addrlen =3D 248 '?', if_hdrlen =3D 255 '?', if_link_state =3D 255 '?', if_mtu =3D 1078468608,=20 if_metric =3D 0, if_baudrate =3D 2, if_hwassist =3D 0, if_epoch =3D 90194313239, if_lastchange =3D { tv_sec =3D -8796001543664, tv_usec =3D -87960015441= 92 }, if_snd =3D { ifq_head =3D 0xfffff800be4bc930, ifq_tail =3D 0xfffff800be4bc870, ifq_len =3D 91478088, ifq_maxlen =3D -2048, ifq_mtx =3D { lock_object =3D { lo_name =3D 0x100
, lo_flags =3D 0, lo_data =3D 0, lo_witness =3D 0xfffff8000573d8= 00}, mtx_lock =3D 1079562240 }, ifq_drv_head =3D 0x2,=20 ifq_drv_tail =3D 0x0, ifq_drv_len =3D 149, ifq_drv_maxlen =3D 21, altq_type =3D 141323792, altq_flags =3D -2048, altq_disc =3D 0xfffff800086c6c00,=20 altq_ifp =3D 0xfffff800be4bc990, altq_enqueue =3D 0xfffff800be4bc8d0, altq_dequeue =3D 0xfffff800086c6c48, altq_request =3D 0x100, altq_clfier =3D 0x0,=20 altq_classify =3D 0xfffff800086c6c00, altq_tbr =3D 0x84a000, altq_cdnr =3D 0x4 }, if_linktask =3D { ta_link =3D { stqe_next =3D 0x0}, ta_pending =3D 6, ta_priority =3D 0,=20 ta_func =3D 0xfffff80007085a10, ta_context =3D 0xfffff80007085800 }, if_addr_lock =3D { lock_object =3D { lo_name =3D 0xfffff800be4bc9f0 = "P?K?", lo_flags =3D 3192637744, lo_data =3D 4294965248, lo_witness =3D 0xfffff80007085848 }, rw_lock =3D 256 }, if_addrhead =3D { tqh_first =3D 0x0, tqh_last =3D 0xfffff80007085800 }, if_multiaddrs =3D { tqh_first =3D 0xf7d000, tqh_last =3D 0x4 }, if_amcount =3D 0, if_addr =3D 0x3700000018, if_broadcastaddr =3D 0xfffff80007090a10 "\001", if_afdata_lock =3D { lock_object =3D { lo_name =3D 0xfffff80007090800 = "", lo_flags =3D 3192638032, lo_data =3D 4294965248, lo_witness =3D 0xfffff800be4bc990 }, rw_lock =3D 18446735277734561864 },=20 if_afdata =3D 0xfffff800be4bca08, if_afdata_initialized =3D 63, if_fib =3D 55, if_vnet =3D 0xfffff800be3dd610, if_home_vnet =3D 0xfffff800be3dd400,=20 if_vlantrunk =3D 0xfffff800be4bc810, if_bpf =3D 0xfffff800be4bccf0, if_pcount =3D -1103244216, if_bridge =3D 0x100, if_lagg =3D 0x0, if_pf_kif =3D 0xfffff800be3dd400,=20 if_carp =3D 0x220a000, if_label =3D 0x400000004, if_netmap =3D 0x0, if_output =3D 0x2400000039, if_input =3D 0xfffff80007075a10, if_start =3D 0xfffff80007075800,=20 if_ioctl =3D 0xfffff800be4bcc30, if_init =3D 0xfffff800be4bcb10, if_resolvemulti =3D 0xfffff80007075848, if_qflush =3D 0x100, if_transmit =3D 0,=20 if_reassign =3D 0xfffff80007075800, if_get_counter =3D 0x40460000, if_requestencap =3D 0x2, if_counters =3D 0xfffff800be4bcc10, if_hw_tsomax =3D 0,=20 if_hw_tsomaxsegcount =3D 0, if_hw_tsomaxsegsize =3D 17, if_pspare =3D 0xfffff800be4bcc80, if_hw_addr =3D 0xfffff800be4bcc30, if_pcp =3D 72 'H',=20 if_bspare =3D 0xfffff800be4bcca1 "?\b\a", if_ispare =3D 0xfffff800be4bcca4 } --=20 You are receiving this mail because: You are the assignee for the bug.=