Date: Thu, 15 Feb 2018 17:09:16 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 225927] [panic] NULL pointer dereference in nd6_llinfo_timer() Message-ID: <bug-225927-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225927 Bug ID: 225927 Summary: [panic] NULL pointer dereference in nd6_llinfo_timer() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ae@FreeBSD.org We got this panic several times already. I filled this PR in case someone else can put here "we have this panic too". The panic happens when network configuration is being changed (i.e. some vlan interfaces destroyed, IPv6 prefixes removed, etc.) The system usually has 5-20 thousands of NDP entries. The backtrace is the following: Fatal trap 12: page fault while in kernel mode cpuid = 45; apic id = 33 fault virtual address = 0x330 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80cc3c65 stack pointer = 0x28:0xfffffe104a3da890 frame pointer = 0x28:0xfffffe104a3da900 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (swi4: clock (0)) trap number = 12 panic: page fault cpuid = 45 time = 1518707404 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe104a3da470 vpanic() at vpanic+0x19c/frame 0xfffffe104a3da4f0 panic() at panic+0x43/frame 0xfffffe104a3da550 trap_fatal() at trap_fatal+0x34d/frame 0xfffffe104a3da5a0 trap_pfault() at trap_pfault+0x49/frame 0xfffffe104a3da600 trap() at trap+0x2a9/frame 0xfffffe104a3da7c0 calltrap() at calltrap+0x8/frame 0xfffffe104a3da7c0 --- trap 0xc, rip = 0xffffffff80cc3c65, rsp = 0xfffffe104a3da890, rbp = 0xfffffe104a3da900 --- nd6_llinfo_timer() at nd6_llinfo_timer+0x75/frame 0xfffffe104a3da900 softclock_call_cc() at softclock_call_cc+0x12f/frame 0xfffffe104a3da9b0 softclock() at softclock+0xb9/frame 0xfffffe104a3da9e0 intr_event_execute_handlers() at intr_event_execute_handlers+0xec/frame 0xfffffe104a3daa20 ithread_loop() at ithread_loop+0xd6/frame 0xfffffe104a3daa70 fork_exit() at fork_exit+0x85/frame 0xfffffe104a3daab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe104a3daab0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- Uptime: 18d20h16m49s Dumping 17367 out of 65386 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%..91% __curthread () at ./machine/pcpu.h:232 232 ./machine/pcpu.h: No such file or directory. (kgdb) bt #0 __curthread () at ./machine/pcpu.h:232 #1 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:318 #2 0xffffffff80a8bdd6 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:386 #3 0xffffffff80a8c2c6 in vpanic (fmt=<optimized out>, ap=0xfffffe104a3da530) at /usr/src/sys/kern/kern_shutdown.c:779 #4 0xffffffff80a8c0e3 in panic (fmt=<unavailable>) at /usr/src/sys/kern/kern_shutdown.c:710 #5 0xffffffff80f1376d in trap_fatal (frame=0xfffffe104a3da7d0, eva=816) at /usr/src/sys/amd64/amd64/trap.c:799 #6 0xffffffff80f137c9 in trap_pfault (frame=0xfffffe104a3da7d0, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:653 #7 0xffffffff80f13019 in trap (frame=0xfffffe104a3da7d0) at /usr/src/sys/amd64/amd64/trap.c:420 #8 <signal handler called> #9 nd6_llinfo_timer (arg=0xfffff808285af000) at /usr/src/sys/netinet6/nd6.c:781 #10 0xffffffff80aa44af in softclock_call_cc (c=<optimized out>, cc=0xffffffff81dbff80 <cc_cpu>, direct=<optimized out>) at /usr/src/sys/kern/kern_timeout.c:729 #11 0xffffffff80aa49d9 in softclock (arg=0xffffffff81dbff80 <cc_cpu>) at /usr/src/sys/kern/kern_timeout.c:867 #12 0xffffffff80a50d4c in intr_event_execute_handlers (p=<optimized out>, ie=0xfffff8000b60d000) at /usr/src/sys/kern/kern_intr.c:1336 #13 0xffffffff80a51416 in ithread_execute_handlers (ie=<optimized out>, p=<optimized out>) at /usr/src/sys/kern/kern_intr.c:1349 #14 ithread_loop (arg=0xfffff8000b54b980) at /usr/src/sys/kern/kern_intr.c:1430 #15 0xffffffff80a4e095 in fork_exit (callout=0xffffffff80a51340 <ithread_loop>, arg=0xfffff8000b54b980, frame=0xfffffe104a3daac0) at /usr/src/sys/kern/kern_fork.c:1038 #16 <signal handler called> (kgdb) f 9 #9 nd6_llinfo_timer (arg=0xfffff808285af000) at /usr/src/sys/netinet6/nd6.c:781 781 /usr/src/sys/netinet6/nd6.c: No such file or directory. (kgdb) i lo ln = 0xfffff808285af000 ifp = 0x0 ndi = <optimized out> send_ns = <optimized out> pdst = <optimized out> delay = <optimized out> do_switch = <optimized out> src = <optimized out> psrc = <optimized out> (kgdb) p *ln $1 = {lle_next = {le_next = 0xfffff8054ff07200, le_prev = 0xfffff80408aa8e70}, r_l3addr = {addr4 = {s_addr = 3087401514}, addr6 = {__u6_addr = { __u6_addr8 = "*\002\006\270\000\000\032\001\230\370\036\370\203\253\036X", __u6_addr16 = {554, 47110, 0, 282, 63640, 63518, 43907, 22558}, __u6_addr32 = { 3087401514, 18481152, 4162779288, 1478404995}}}}, r_linkdata = "\000%\220\353\223|$\212\a\021P\204\206\335\000\000\000\000\000\000\000\000\000", r_hdrlen = 14 '\016', spare0 = "\000\000", r_flags = 1, r_skip_req = 1, lle_tbl = 0xfffff80cfead8e00, lle_head = 0xfffff80408aa8e70, lle_free = 0xffffffff80ca8af0 <in6_lltable_destroy_lle>, la_hold = 0x0, la_numheld = 0, la_expire = 1628209, la_flags = 8, la_asked = 0, la_preempt = 0, ln_state = 2, ln_router = 0, ln_ntick = 0, lle_remtime = 85985000, lle_hittime = 0, lle_refcnt = 1, ll_addr = 0xfffff808285af020 "", lle_chain = { le_next = 0xfffff80408951a00, le_prev = 0xfffff80e9100d6a8}, lle_timer = {c_links = {le = {le_next = 0x0, le_prev = 0xffffffff81dc0058 <cc_cpu+216>}, sle = { sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xffffffff81dc0058 <cc_cpu+216>}}, c_time = 6993108294966657, c_precision = 1342177187, c_arg = 0xfffff808285af000, c_func = 0xffffffff80cc3bf0 <nd6_llinfo_timer>, c_lock = 0x0, c_flags = 2, c_iflags = 144, c_cpu = 0}, lle_lock = {lock_object = { lo_name = 0xffffffff81493c80 "lle", lo_flags = 90374144, lo_data = 0, lo_witness = 0x0}, rw_lock = 18446735277807501312}, req_mtx = {lock_object = { lo_name = 0xffffffff81493c84 "lle req", lo_flags = 16973824, lo_data = 0, lo_witness = 0x0}, mtx_lock = 4}} (kgdb) p ln->lle_timer $2 = {c_links = {le = {le_next = 0x0, le_prev = 0xffffffff81dc0058 <cc_cpu+216>}, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xffffffff81dc0058 <cc_cpu+216>}}, c_time = 6993108294966657, c_precision = 1342177187, c_arg = 0xfffff808285af000, c_func = 0xffffffff80cc3bf0 <nd6_llinfo_timer>, c_lock = 0x0, c_flags = 2, c_iflags = 144, c_cpu = 0} (kgdb) p &((((struct ifnet *)0)->if_afdata[28])->nd_ifinfo) Cannot access memory at address 0x330 The system doesn't have VIMAGE in the kernel, with this option I think it will crash in the CURVNET_SET() 752 KASSERT(arg != NULL, ("%s: arg NULL", __func__)); 753 ln = (struct llentry *)arg; 754 ifp = lltable_get_ifp(ln->lle_tbl); 755 CURVNET_SET(ifp->if_vnet); 756 757 ND6_RLOCK(); 758 LLE_WLOCK(ln); 759 if (callout_pending(&ln->lle_timer)) { 760 /* 761 * Here we are a bit odd here in the treatment of .... 779 return; 780 } 781 ndi = ND_IFINFO(ifp); I think this happens when lltable_free() calls callout_stop() for already active callout, and then llentry_free() releases LLE_WLOCK() via LLE_FREE_LOCKED(). -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-225927-8>