From owner-freebsd-bugs@freebsd.org  Thu Feb 15 17:09:17 2018
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9BF00F0894A
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Thu, 15 Feb 2018 17:09:17 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.ysv.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 22FBA82D77
 for <freebsd-bugs@FreeBSD.org>; Thu, 15 Feb 2018 17:09:17 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 50DD722307
 for <freebsd-bugs@FreeBSD.org>; Thu, 15 Feb 2018 17:09:16 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w1FH9Gl3009560
 for <freebsd-bugs@FreeBSD.org>; Thu, 15 Feb 2018 17:09:16 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w1FH9GeN009559
 for freebsd-bugs@FreeBSD.org; Thu, 15 Feb 2018 17:09:16 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 225927] [panic] NULL pointer dereference in nd6_llinfo_timer()
Date: Thu, 15 Feb 2018 17:09:16 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: ae@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-225927-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2018 17:09:18 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D225927

            Bug ID: 225927
           Summary: [panic] NULL pointer dereference in nd6_llinfo_timer()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: ae@FreeBSD.org

We got this panic several times already. I filled this PR in case someone e=
lse
can put here "we have this panic too".

The panic happens when network configuration is being changed (i.e. some vl=
an
interfaces destroyed, IPv6 prefixes removed, etc.)

The system usually has 5-20 thousands of NDP entries.

The backtrace is the following:=20
Fatal trap 12: page fault while in kernel mode
cpuid =3D 45; apic id =3D 33
fault virtual address   =3D 0x330
fault code              =3D supervisor read data, page not present
instruction pointer     =3D 0x20:0xffffffff80cc3c65
stack pointer           =3D 0x28:0xfffffe104a3da890
frame pointer           =3D 0x28:0xfffffe104a3da900
code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                        =3D DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
current process         =3D 12 (swi4: clock (0))
trap number             =3D 12
panic: page fault
cpuid =3D 45
time =3D 1518707404
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe104a3da=
470
vpanic() at vpanic+0x19c/frame 0xfffffe104a3da4f0
panic() at panic+0x43/frame 0xfffffe104a3da550
trap_fatal() at trap_fatal+0x34d/frame 0xfffffe104a3da5a0
trap_pfault() at trap_pfault+0x49/frame 0xfffffe104a3da600
trap() at trap+0x2a9/frame 0xfffffe104a3da7c0
calltrap() at calltrap+0x8/frame 0xfffffe104a3da7c0
--- trap 0xc, rip =3D 0xffffffff80cc3c65, rsp =3D 0xfffffe104a3da890, rbp =
=3D
0xfffffe104a3da900 ---
nd6_llinfo_timer() at nd6_llinfo_timer+0x75/frame 0xfffffe104a3da900
softclock_call_cc() at softclock_call_cc+0x12f/frame 0xfffffe104a3da9b0
softclock() at softclock+0xb9/frame 0xfffffe104a3da9e0
intr_event_execute_handlers() at intr_event_execute_handlers+0xec/frame
0xfffffe104a3daa20
ithread_loop() at ithread_loop+0xd6/frame 0xfffffe104a3daa70
fork_exit() at fork_exit+0x85/frame 0xfffffe104a3daab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe104a3daab0
--- trap 0, rip =3D 0, rsp =3D 0, rbp =3D 0 ---
Uptime: 18d20h16m49s
Dumping 17367 out of 65386 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%.=
.91%

__curthread () at ./machine/pcpu.h:232
232     ./machine/pcpu.h: No such file or directory.

(kgdb) bt
#0  __curthread () at ./machine/pcpu.h:232
#1  doadump (textdump=3D1) at /usr/src/sys/kern/kern_shutdown.c:318
#2  0xffffffff80a8bdd6 in kern_reboot (howto=3D260) at
/usr/src/sys/kern/kern_shutdown.c:386
#3  0xffffffff80a8c2c6 in vpanic (fmt=3D<optimized out>, ap=3D0xfffffe104a3=
da530)
at /usr/src/sys/kern/kern_shutdown.c:779
#4  0xffffffff80a8c0e3 in panic (fmt=3D<unavailable>) at
/usr/src/sys/kern/kern_shutdown.c:710
#5  0xffffffff80f1376d in trap_fatal (frame=3D0xfffffe104a3da7d0, eva=3D816=
) at
/usr/src/sys/amd64/amd64/trap.c:799
#6  0xffffffff80f137c9 in trap_pfault (frame=3D0xfffffe104a3da7d0, usermode=
=3D0) at
/usr/src/sys/amd64/amd64/trap.c:653
#7  0xffffffff80f13019 in trap (frame=3D0xfffffe104a3da7d0) at
/usr/src/sys/amd64/amd64/trap.c:420
#8  <signal handler called>
#9  nd6_llinfo_timer (arg=3D0xfffff808285af000) at
/usr/src/sys/netinet6/nd6.c:781
#10 0xffffffff80aa44af in softclock_call_cc (c=3D<optimized out>,
cc=3D0xffffffff81dbff80 <cc_cpu>, direct=3D<optimized out>) at
/usr/src/sys/kern/kern_timeout.c:729
#11 0xffffffff80aa49d9 in softclock (arg=3D0xffffffff81dbff80 <cc_cpu>) at
/usr/src/sys/kern/kern_timeout.c:867
#12 0xffffffff80a50d4c in intr_event_execute_handlers (p=3D<optimized out>,
ie=3D0xfffff8000b60d000) at /usr/src/sys/kern/kern_intr.c:1336
#13 0xffffffff80a51416 in ithread_execute_handlers (ie=3D<optimized out>,
p=3D<optimized out>) at /usr/src/sys/kern/kern_intr.c:1349
#14 ithread_loop (arg=3D0xfffff8000b54b980) at /usr/src/sys/kern/kern_intr.=
c:1430
#15 0xffffffff80a4e095 in fork_exit (callout=3D0xffffffff80a51340 <ithread_=
loop>,
arg=3D0xfffff8000b54b980, frame=3D0xfffffe104a3daac0)
    at /usr/src/sys/kern/kern_fork.c:1038
#16 <signal handler called>
(kgdb) f 9
#9  nd6_llinfo_timer (arg=3D0xfffff808285af000) at
/usr/src/sys/netinet6/nd6.c:781
781     /usr/src/sys/netinet6/nd6.c: No such file or directory.
(kgdb) i lo
ln =3D 0xfffff808285af000
ifp =3D 0x0
ndi =3D <optimized out>
send_ns =3D <optimized out>
pdst =3D <optimized out>
delay =3D <optimized out>
do_switch =3D <optimized out>
src =3D <optimized out>
psrc =3D <optimized out>
(kgdb) p *ln
$1 =3D {lle_next =3D {le_next =3D 0xfffff8054ff07200, le_prev =3D 0xfffff80=
408aa8e70},
r_l3addr =3D {addr4 =3D {s_addr =3D 3087401514}, addr6 =3D {__u6_addr =3D {
        __u6_addr8 =3D
"*\002\006\270\000\000\032\001\230\370\036\370\203\253\036X", __u6_addr16 =
=3D
{554, 47110, 0, 282, 63640, 63518, 43907, 22558}, __u6_addr32 =3D {
          3087401514, 18481152, 4162779288, 1478404995}}}}, r_linkdata =3D
"\000%\220\353\223|$\212\a\021P\204\206\335\000\000\000\000\000\000\000\000=
\000",=20
  r_hdrlen =3D 14 '\016', spare0 =3D "\000\000", r_flags =3D 1, r_skip_req =
=3D 1,
lle_tbl =3D 0xfffff80cfead8e00, lle_head =3D 0xfffff80408aa8e70,=20
  lle_free =3D 0xffffffff80ca8af0 <in6_lltable_destroy_lle>, la_hold =3D 0x=
0,
la_numheld =3D 0, la_expire =3D 1628209, la_flags =3D 8, la_asked =3D 0, la=
_preempt =3D
0,=20
  ln_state =3D 2, ln_router =3D 0, ln_ntick =3D 0, lle_remtime =3D 85985000,
lle_hittime =3D 0, lle_refcnt =3D 1, ll_addr =3D 0xfffff808285af020 "", lle=
_chain =3D {
    le_next =3D 0xfffff80408951a00, le_prev =3D 0xfffff80e9100d6a8}, lle_ti=
mer =3D
{c_links =3D {le =3D {le_next =3D 0x0, le_prev =3D 0xffffffff81dc0058 <cc_c=
pu+216>},
sle =3D {
        sle_next =3D 0x0}, tqe =3D {tqe_next =3D 0x0, tqe_prev =3D 0xffffff=
ff81dc0058
<cc_cpu+216>}}, c_time =3D 6993108294966657, c_precision =3D 1342177187,=20
    c_arg =3D 0xfffff808285af000, c_func =3D 0xffffffff80cc3bf0 <nd6_llinfo=
_timer>,
c_lock =3D 0x0, c_flags =3D 2, c_iflags =3D 144, c_cpu =3D 0}, lle_lock =3D=
 {lock_object
=3D {
      lo_name =3D 0xffffffff81493c80 "lle", lo_flags =3D 90374144, lo_data =
=3D 0,
lo_witness =3D 0x0}, rw_lock =3D 18446735277807501312}, req_mtx =3D {lock_o=
bject =3D {
      lo_name =3D 0xffffffff81493c84 "lle req", lo_flags =3D 16973824, lo_d=
ata =3D 0,
lo_witness =3D 0x0}, mtx_lock =3D 4}}
(kgdb) p ln->lle_timer
$2 =3D {c_links =3D {le =3D {le_next =3D 0x0, le_prev =3D 0xffffffff81dc0058
<cc_cpu+216>}, sle =3D {sle_next =3D 0x0}, tqe =3D {tqe_next =3D 0x0,=20
      tqe_prev =3D 0xffffffff81dc0058 <cc_cpu+216>}}, c_time =3D 6993108294=
966657,
c_precision =3D 1342177187, c_arg =3D 0xfffff808285af000,=20
  c_func =3D 0xffffffff80cc3bf0 <nd6_llinfo_timer>, c_lock =3D 0x0, c_flags=
 =3D 2,
c_iflags =3D 144, c_cpu =3D 0}

(kgdb) p &((((struct ifnet *)0)->if_afdata[28])->nd_ifinfo)
Cannot access memory at address 0x330


The system doesn't have VIMAGE in the kernel, with this option I think it w=
ill
crash in the CURVNET_SET()

 752         KASSERT(arg !=3D NULL, ("%s: arg NULL", __func__));
 753         ln =3D (struct llentry *)arg;
 754         ifp =3D lltable_get_ifp(ln->lle_tbl);
 755         CURVNET_SET(ifp->if_vnet);
 756=20
 757         ND6_RLOCK();
 758         LLE_WLOCK(ln);
 759         if (callout_pending(&ln->lle_timer)) {=20
 760                 /*
 761                  * Here we are a bit odd here in the treatment of=20
....
 779                 return;=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20
 780         }
 781         ndi =3D ND_IFINFO(ifp);

I think this happens when lltable_free() calls callout_stop() for already
active callout, and then llentry_free() releases LLE_WLOCK() via
LLE_FREE_LOCKED().

--=20
You are receiving this mail because:
You are the assignee for the bug.=