Skip site navigation (1)Skip section navigation (2)
Date:      Fri,  4 Sep 2009 01:39:07 -0800 (AKDT)
From:      Mel Flynn <mel@rachie.is-a-geek.net>
To:        FreeBSD-gnats-submit@freebsd.org
Cc:        freebsd-net@FreeBSD.org
Subject:   [panic] Kernel corruption of pppoe lists
Message-ID:  <20090904093907.B61227E854@mailhub.rachie.is-a-geek.net>

next in thread | raw e-mail | index | archive | help

>Submitter-Id:	current-users
>Originator:	Mel Flynn
>Confidential:	no 
>Synopsis:	[panic] Kernel corruption of pppoe lists
>Severity:	critical
>Priority:	low
>Category:	kern
>Class:		sw-bug
>Release:	FreeBSD 7.2-STABLE i386
>Environment:
System: FreeBSD gate.rachie.is-a-geek.net 7.2-STABLE FreeBSD 7.2-STABLE #0: Sun Jun 28 00:01:59 AKDT 2009 mdev@squish.rachie.is-a-geek.net:/data/obj/data/RELENG_7/src/sys/GATE i386


	
>Description:
I realize the kernel is a bit old, but it also very hard to reproduce. Kernel
was up 56 days and this crash happened shortly after a very long connect time,
hangup by ISP and some renegotiation issues. I can provide the ppp.log of the
incident if needed.

What bothers me is the contents of the session list element, preceding the element
cannot be accessed. Clearly, there is random kernel memory present there, judging
from ether_dhost and ether_shost.

# kgdb /boot/kernel/kernel /var/crash/vmcore.0 
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0x2d465459
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc06cd0a0
stack pointer	        = 0x28:0xc3b86a98
frame pointer	        = 0x28:0xc3b86ac0
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 35 (irq22: xl0)
trap number		= 12
panic: page fault
Uptime: 56d6h29m38s
Physical memory: 1007 MB
Dumping 174 MB: 159 143 127 111 95 79 63 47 31 15

Reading symbols from /boot/kernel/geom_journal.ko...Reading symbols from /boot/kernel/geom_journal.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/geom_journal.ko
Reading symbols from /boot/kernel/wlan_xauth.ko...Reading symbols from /boot/kernel/wlan_xauth.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/wlan_xauth.ko
Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/acpi.ko
Reading symbols from /boot/kernel/if_bridge.ko...Reading symbols from /boot/kernel/if_bridge.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/if_bridge.ko
Reading symbols from /boot/kernel/bridgestp.ko...Reading symbols from /boot/kernel/bridgestp.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/bridgestp.ko
Reading symbols from /boot/kernel/ng_ether.ko...Reading symbols from /boot/kernel/ng_ether.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_ether.ko
Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from /boot/kernel/ng_socket.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_socket.ko
Reading symbols from /boot/kernel/daemon_saver.ko...Reading symbols from /boot/kernel/daemon_saver.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/daemon_saver.ko
#0  doadump () at pcpu.h:196
196	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:196
#1  0xc05ef5d3 in boot (howto=260) at /data/RELENG_7/src/sys/kern/kern_shutdown.c:418
#2  0xc05ef7de in panic (fmt=Variable "fmt" is not available.
) at /data/RELENG_7/src/sys/kern/kern_shutdown.c:574
#3  0xc085c72c in trap_fatal (frame=0xc3b86a58, eva=759583833)
    at /data/RELENG_7/src/sys/i386/i386/trap.c:938
#4  0xc085c9b0 in trap_pfault (frame=0xc3b86a58, usermode=0, eva=759583833)
    at /data/RELENG_7/src/sys/i386/i386/trap.c:851
#5  0xc085d339 in trap (frame=0xc3b86a58) at /data/RELENG_7/src/sys/i386/i386/trap.c:529
#6  0xc0844a4b in calltrap () at /data/RELENG_7/src/sys/i386/i386/exception.s:166
#7  0xc06cd0a0 in pppoe_findsession (privp=0xc4258000, wh=Variable "wh" is not available.
)
    at /data/RELENG_7/src/sys/netgraph/ng_pppoe.c:567
#8  0xc06ce1a0 in ng_pppoe_rcvdata_ether (hook=0xc41b6380, item=0xc4256120)
    at /data/RELENG_7/src/sys/netgraph/ng_pppoe.c:1612
#9  0xc06c566f in ng_apply_item (node=0xc4111e80, item=0xc4256120, rw=0)
    at /data/RELENG_7/src/sys/netgraph/ng_base.c:2336
#10 0xc06c47e0 in ng_snd_item (item=0xc4256120, flags=Variable "flags" is not available.
)
    at /data/RELENG_7/src/sys/netgraph/ng_base.c:2254
#11 0xc068de5f in ether_demux (ifp=0xc3dbb400, m=0xc8024d00)
    at /data/RELENG_7/src/sys/net/if_ethersubr.c:851
#12 0xc068e1b3 in ether_input (ifp=0xc3dbb400, m=0xc8024d00)
    at /data/RELENG_7/src/sys/net/if_ethersubr.c:692
#13 0xc07b5348 in xl_rxeof (sc=0xc3dbc000) at /data/RELENG_7/src/sys/pci/if_xl.c:2022
#14 0xc07b7834 in xl_intr (arg=0xc3dbc000) at /data/RELENG_7/src/sys/pci/if_xl.c:2257
#15 0xc05cd10b in ithread_loop (arg=0xc3dc10c0)
    at /data/RELENG_7/src/sys/kern/kern_intr.c:1127
#16 0xc05c9ae6 in fork_exit (callout=0xc05ccf60 <ithread_loop>, arg=0xc3dc10c0, 
    frame=0xc3b86d38) at /data/RELENG_7/src/sys/kern/kern_fork.c:811
#17 0xc0844ac0 in fork_trampoline () at /data/RELENG_7/src/sys/i386/i386/exception.s:271
(kgdb) frame 7
#7  0xc06cd0a0 in pppoe_findsession (privp=0xc4258000, wh=Variable "wh" is not available.
)
    at /data/RELENG_7/src/sys/netgraph/ng_pppoe.c:567
567			if (sp->Session_ID == session &&
(kgdb) print sp
$1 = 0x2d465455
(kgdb) print *sp
Cannot access memory at address 0x2d465455
(kgdb) print *privp
$2 = {node = 0xc4111e80, ethernet_hook = 0xc41b6380, debug_hook = 0x0, 
  packets_in = 126728356, packets_out = 69301432, flags = 0, eh = {ether_dhost = "ÿÿÿÿÿÿ", 
    ether_shost = "\000\001\002Çù6", ether_type = 25480}, listeners = {lh_first = 0x0}, 
  sesshash = {{mtx = {lock_object = {lo_name = 0xc08b8dc2 "PPPoE hash mutex", 
          lo_type = 0xc08b8dc2 "PPPoE hash mutex", lo_flags = 16973824, lo_witness_data = {
            lod_list = {stqe_next = 0x0}, lod_witness = 0x0}}, mtx_lock = 3285460096, 
        mtx_recurse = 0}, head = {lh_first = 0xc5093780}}, {mtx = {lock_object = {
          lo_name = 0xc08b8dc2 "PPPoE hash mutex", 
          lo_type = 0xc08b8dc2 "PPPoE hash mutex", lo_flags = 16973824, lo_witness_data = {
            lod_list = {stqe_next = 0x0}, lod_witness = 0x0}}, mtx_lock = 4, 
        mtx_recurse = 0}, head = {lh_first = 0x0}} <repeats 89 times>, {mtx = {
        lock_object = {lo_name = 0xc08b8dc2 "PPPoE hash mutex", 
          lo_type = 0xc08b8dc2 "PPPoE hash mutex", lo_flags = 16973824, lo_witness_data = {
            lod_list = {stqe_next = 0x0}, lod_witness = 0x0}}, mtx_lock = 4, 
        mtx_recurse = 0}, head = {lh_first = 0xc4dc5bc0}}, {mtx = {lock_object = {
          lo_name = 0xc08b8dc2 "PPPoE hash mutex", 
          lo_type = 0xc08b8dc2 "PPPoE hash mutex", lo_flags = 16973824, lo_witness_data = {
            lod_list = {stqe_next = 0x0}, lod_witness = 0x0}}, mtx_lock = 4, 
        mtx_recurse = 0}, head = {lh_first = 0x0}} <repeats 165 times>}}
(kgdb) print *privp->sesshash.head.lh_first->sessions.le_next->sessions.le_next
$4 = {hook = 0x1, Session_ID = 52, state = 1920169263, creator = 1852400175, pkt_hdr = {
    eh = {ether_dhost = "/zcat", ether_shost = "/usr/s", ether_type = 24936}, ph = {
      ver = 2 '\002', type = 7 '\a', code = 101 'e', sid = 27951, length = 28257, 
      tag = 0xc4e68524}}, neg = 0x2e6e652f, sessions = {le_next = 0x2d465455, 
    le_prev = 0x61632f38}}
>How-To-Repeat:
Unknown at this time.
>Fix:

I don't expect this to be fixed, without a reproduction scenario, so I'm mainly
reporting this to see if others have experienced a similar crash.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090904093907.B61227E854>