From owner-freebsd-net@freebsd.org Fri Nov 30 09:48:38 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C4D2113C99E for ; Fri, 30 Nov 2018 09:48:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id C67CB795D8 for ; Fri, 30 Nov 2018 09:48:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 8292B113C99C; Fri, 30 Nov 2018 09:48:37 +0000 (UTC) Delivered-To: net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5AF67113C998 for ; Fri, 30 Nov 2018 09:48:37 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DFFF8795D2 for ; Fri, 30 Nov 2018 09:48:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 19A7FD62A for ; Fri, 30 Nov 2018 09:48:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id wAU9mZVm077994 for ; Fri, 30 Nov 2018 09:48:35 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id wAU9mZVo077993 for net@FreeBSD.org; Fri, 30 Nov 2018 09:48:35 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 227720] Kernel panic in ppp server Date: Fri, 30 Nov 2018 09:48:35 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: Franck.Rousseau@imag.fr X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: mfc-stable11? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Rspamd-Queue-Id: C67CB795D8 X-Spamd-Result: default: False [1.94 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_SPAM_LONG(0.59)[0.589,0]; NEURAL_SPAM_MEDIUM(0.74)[0.743,0]; ASN(0.00)[asn:10310, ipnet:2001:1900:2254::/48, country:US]; NEURAL_SPAM_SHORT(0.61)[0.611,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2018 09:48:38 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D227720 --- Comment #43 from Franck Rousseau --- (In reply to Andrey V. Elsukov from comment #42) This is what I report in bug #230498 at comment #20 and at comment #37 in t= his thread. I did it again from a clean SVN repo as you asked to be sure of the conclusion. How to crash : - boot with the new kernel - ifconfig bge0 192.168.0.2 - ppp server then term, wait for ppp open from client, with local server address set to the same 192.168.0.2 - connection ok, it pings, then quit - restart ppp server then term, wait for ppp open from client, after getting PPp at the prompt, IP config is starting I guess, I get the crash, trying to access a NULL pointer In the dump: (kgdb) bt #0 doadump (textdump=3D1) at pcpu.h:229 #1 0xffffffff80b072a0 in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:383 #2 0xffffffff80b076e1 in vpanic (fmt=3D, ap=3D) at /usr/src/sys/kern/kern_shutdown.c:776 #3 0xffffffff80b07523 in panic (fmt=3D) at /usr/src/sys/kern/kern_shutdown.c:707 #4 0xffffffff803aefc7 in db_panic (addr=3D, have_addr=3D,=20 count=3D, modif=3D) at /usr/src/sys/ddb/db_command.c:499 #5 0xffffffff803ae539 in db_command (cmd_table=3D) at /usr/src/sys/ddb/db_command.c:466 #6 0xffffffff803ae2b4 in db_command_loop () at /usr/src/sys/ddb/db_command.c:519 #7 0xffffffff803b14ff in db_trap (type=3D, code=3D) at /usr/src/sys/ddb/db_main.c:248 #8 0xffffffff80b4ed63 in kdb_trap (type=3D12, code=3D0, tf=3D) at /usr/src/sys/kern/subr_kdb.c:689 #9 0xffffffff80f99501 in trap_fatal (frame=3D0xfffffe0467edd320, eva=3D0) = at /usr/src/sys/amd64/amd64/trap.c:867 #10 0xffffffff80f99609 in trap_pfault (frame=3D0xfffffe0467edd320, usermode= =3D0) at pcpu.h:229 #11 0xffffffff80f98dd7 in trap (frame=3D0xfffffe0467edd320) at /usr/src/sys/amd64/amd64/trap.c:415 #12 0xffffffff80f78e6c in calltrap () at /usr/src/sys/amd64/amd64/exception.S:231 #13 0xffffffff80c24da4 in sysctl_dumpentry (rn=3D0xfffff80008954410, vw=3D0xfffffe0467edd690) at /usr/src/sys/net/rtsock.c:1559 #14 0xffffffff80c1f990 in rn_walktree (h=3D, f=3D, w=3D) at /usr/src/sys/net/radix.c:1094 #15 0xffffffff80c246fb in sysctl_rtsock (oidp=3D, arg1=3D,=20 arg2=3D, req=3D) at /usr/src/sys/net/rtsock.c:1917 #16 0xffffffff80b14a6b in sysctl_root_handler_locked (oid=3D0xffffffff81a69= 0d8, arg1=3D0xfffffe0467edd908, arg2=3D4,=20 req=3D0xfffffe0467edd840, tracker=3D0xfffffe0467edd7b8) at /usr/src/sys/kern/kern_sysctl.c:165 #17 0xffffffff80b142c1 in sysctl_root (arg1=3D0xfffffe0467edd908, arg2=3D4)= at /usr/src/sys/kern/kern_sysctl.c:1915 #18 0xffffffff80b147e6 in userland_sysctl (td=3D, name=3D0xfffffe0467edd900, namelen=3D6, old=3D0x0,=20 oldlenp=3D, inkernel=3D, new= =3D0x0, newlen=3D0, retval=3D0xfffffe0467edd968,=20 flags=3D0) at /usr/src/sys/kern/kern_sysctl.c:2011 #19 0xffffffff80b1466f in sys___sysctl (td=3D0xfffff80008837000, uap=3D0xfffff80008837538) at /usr/src/sys/kern/kern_sysctl.c:1945 #20 0xffffffff80f9a638 in amd64_syscall (td=3D0xfffff80008837000, traced=3D= 0) at subr_syscall.c:132 #21 0xffffffff80f796bd in fast_syscall_common () at /usr/src/sys/amd64/amd64/exception.S:479 #22 0x0000000801de047a in ?? () Previous frame inner to this frame (corrupt stack?) Current language: auto; currently minimal (kgdb) f 13 #13 0xffffffff80c24da4 in sysctl_dumpentry (rn=3D0xfffff80008954410, vw=3D0xfffffe0467edd690) at /usr/src/sys/net/rtsock.c:1559 1559 info.rti_info[RTAX_IFP] =3D rt->rt_ifp->if_addr->ifa_addr; (kgdb) print rt->rt_ifp->if_addr=20 $1 =3D (struct ifaddr *) 0x0 (kgdb) print rt->rt_ifp->if_flags $2 =3D 0 (kgdb) print rt->rt_ifp->if_index $3 =3D 0 (kgdb) print rt->rt_ifp=20=20=20=20=20=20=20=20=20=20 $4 =3D (struct ifnet *) 0xfffff8002be6c800 (kgdb) print *rt->rt_ifp $5 =3D {if_link =3D {tqe_next =3D 0xfffff800b0cfe050, tqe_prev =3D 0xfffff8= 00b0cfe0a0}, if_clones =3D {le_next =3D 0x0,=20 le_prev =3D 0x0}, if_groups =3D {tqh_first =3D 0x0, tqh_last =3D 0x0}, = if_alloctype =3D 0 '\0', if_softc =3D 0x0,=20 if_llsoftc =3D 0x0, if_l2com =3D 0x0, if_dname =3D 0x0, if_dunit =3D 0, i= f_index =3D 0, if_index_reserved =3D 0,=20 if_xname =3D 0xfffff8002be6c860 "", if_description =3D 0x0, if_flags =3D = 0, if_drv_flags =3D 0,=20 if_capabilities =3D -1325336224, if_capenable =3D -2048, if_linkmib =3D 0xfffff800b100f9b0,=20 if_linkmiblen =3D 18446735280583750992, if_refcount =3D 2967221664, if_ty= pe =3D 0 '\0', if_addrlen =3D 248 '=EF=BF=BD',=20 if_hdrlen =3D 255 '=EF=BF=BD', if_link_state =3D 255 '=EF=BF=BD', if_mtu = =3D 2967221744, if_metric =3D 4294965248,=20 if_baudrate =3D 18446735280583751232, if_hwassist =3D 1844673528058294328= 0, if_epoch =3D -8793126608256, if_lastchange =3D { tv_sec =3D -8793126608176, tv_usec =3D 0}, if_snd =3D {ifq_head =3D 0x0= , ifq_tail =3D 0x0, ifq_len =3D 0, ifq_maxlen =3D 0,=20 ifq_mtx =3D {lock_object =3D {lo_name =3D 0x0, lo_flags =3D 503152064, = lo_data =3D 4294965252,=20 lo_witness =3D 0xfffff800053ee3c0}, mtx_lock =3D 184467352777045371= 04}, ifq_drv_head =3D 0xfffff800053ee460,=20 ifq_drv_tail =3D 0x0, ifq_drv_len =3D -1326900496, ifq_drv_maxlen =3D -= 2048, altq_type =3D -1326900416,=20 altq_flags =3D -2048, altq_disc =3D 0xfffff800b0cfe320, altq_ifp =3D 0xfffff800b0cfe370,=20 altq_enqueue =3D 0xfffff800b0cfe3c0, altq_dequeue =3D 0xfffff800b0cfe41= 0, altq_request =3D 0xfffff800b0dc3870,=20 altq_clfier =3D 0xfffff800b100f8c0, altq_classify =3D 0xfffff800b100f91= 0, altq_tbr =3D 0x0, altq_cdnr =3D 0x0},=20 if_linktask =3D {ta_link =3D {stqe_next =3D 0x0}, ta_pending =3D 0, ta_pr= iority =3D 0, ta_func =3D 0xfffff800b100fa00,=20 ta_context =3D 0x0}, if_addr_lock =3D {lock_object =3D {lo_name =3D 0xfffff800b0b8a1e0 "\200}=EF=BF=BD\035\004=EF=BF=BD=EF=BF=BD=EF=BF=BD\220= =EF=BF=BD=EF=BF=BD=EF=BF=BD",=20 lo_flags =3D 2964890160, lo_data =3D 4294965248, lo_witness =3D 0xfffff800b0b8a280}, rw_lock =3D 18446735280581419728},=20 if_addrhead =3D {tqh_first =3D 0x0, tqh_last =3D 0xfffff800b1044960}, if_= multiaddrs =3D {tqh_first =3D 0x0, tqh_last =3D 0x0},=20 if_amcount =3D 0, if_addr =3D 0x0, if_broadcastaddr =3D 0xfffff800b0e91d70 "\200}=EF=BF=BD\035\004=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD\033=EF=BF=BD=EF= =BF=BD", if_afdata_lock =3D { lock_object =3D {lo_name =3D 0xfffff800b0e91dc0 "\200}=EF=BF=BD\035\004= =EF=BF=BD=EF=BF=BD=EF=BF=BDp\035=EF=BF=BD=EF=BF=BD", lo_flags =3D 2967222464,=20 lo_data =3D 4294965248, lo_witness =3D 0xfffff800b0dc3910}, rw_lock = =3D 18446735280583752032},=20 if_afdata =3D 0xfffff8002be6ca08, if_afdata_initialized =3D -1330076256, = if_fib =3D 4294965248,=20 if_vnet =3D 0xfffff800b0b8a5f0, if_home_vnet =3D 0xfffff800b0b8a640, if_v= lantrunk =3D 0xfffff800b100fe60,=20 if_bpf =3D 0xfffff800b100feb0, if_pcount =3D -1325334784, if_bridge =3D 0xfffff800b100ff50, if_lagg =3D 0x0,=20 if_pf_kif =3D 0xfffff800b1072000, if_carp =3D 0xfffff800b1072050, if_labe= l =3D 0xfffff800b10720a0,=20 if_netmap =3D 0xfffff800b0b8a690, if_output =3D 0xfffff800b0b8a6e0, if_in= put =3D 0xfffff800b0b8a730,=20 if_start =3D 0xfffff800b0f5c280, if_ioctl =3D 0xfffff800b0f5c2d0, if_init= =3D 0, if_resolvemulti =3D 0,=20 if_qflush =3D 0xfffff800b0cfea00, if_transmit =3D 0xfffff800b0cfea50, if_= reassign =3D 0xfffff800b0cfeaa0,=20 if_get_counter =3D 0xfffff800b0dc3f50, if_requestencap =3D 0xfffff800b107= 2320, if_counters =3D 0xfffff8002be6cc10,=20 if_hw_tsomax =3D 2968896528, if_hw_tsomaxsegcount =3D 4294965248, if_hw_tsomaxsegsize =3D 2970036096,=20 if_pspare =3D 0xfffff8002be6cc80, if_hw_addr =3D 0xfffff800b0cfebe0, if_p= cp =3D 160 '=EF=BF=BD',=20 if_bspare =3D 0xfffff8002be6cca1 "\020=EF=BF=BD=EF=BF=BD", if_ispare =3D = 0xfffff8002be6cca4} --=20 You are receiving this mail because: You are the assignee for the bug.=