Date: Thu, 15 Feb 2018 17:09:16 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 225927] [panic] NULL pointer dereference in nd6_llinfo_timer() Message-ID: <bug-225927-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D225927 Bug ID: 225927 Summary: [panic] NULL pointer dereference in nd6_llinfo_timer() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ae@FreeBSD.org We got this panic several times already. I filled this PR in case someone e= lse can put here "we have this panic too". The panic happens when network configuration is being changed (i.e. some vl= an interfaces destroyed, IPv6 prefixes removed, etc.) The system usually has 5-20 thousands of NDP entries. The backtrace is the following:=20 Fatal trap 12: page fault while in kernel mode cpuid =3D 45; apic id =3D 33 fault virtual address =3D 0x330 fault code =3D supervisor read data, page not present instruction pointer =3D 0x20:0xffffffff80cc3c65 stack pointer =3D 0x28:0xfffffe104a3da890 frame pointer =3D 0x28:0xfffffe104a3da900 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 12 (swi4: clock (0)) trap number =3D 12 panic: page fault cpuid =3D 45 time =3D 1518707404 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe104a3da= 470 vpanic() at vpanic+0x19c/frame 0xfffffe104a3da4f0 panic() at panic+0x43/frame 0xfffffe104a3da550 trap_fatal() at trap_fatal+0x34d/frame 0xfffffe104a3da5a0 trap_pfault() at trap_pfault+0x49/frame 0xfffffe104a3da600 trap() at trap+0x2a9/frame 0xfffffe104a3da7c0 calltrap() at calltrap+0x8/frame 0xfffffe104a3da7c0 --- trap 0xc, rip =3D 0xffffffff80cc3c65, rsp =3D 0xfffffe104a3da890, rbp = =3D 0xfffffe104a3da900 --- nd6_llinfo_timer() at nd6_llinfo_timer+0x75/frame 0xfffffe104a3da900 softclock_call_cc() at softclock_call_cc+0x12f/frame 0xfffffe104a3da9b0 softclock() at softclock+0xb9/frame 0xfffffe104a3da9e0 intr_event_execute_handlers() at intr_event_execute_handlers+0xec/frame 0xfffffe104a3daa20 ithread_loop() at ithread_loop+0xd6/frame 0xfffffe104a3daa70 fork_exit() at fork_exit+0x85/frame 0xfffffe104a3daab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe104a3daab0 --- trap 0, rip =3D 0, rsp =3D 0, rbp =3D 0 --- Uptime: 18d20h16m49s Dumping 17367 out of 65386 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%.= .91% __curthread () at ./machine/pcpu.h:232 232 ./machine/pcpu.h: No such file or directory. (kgdb) bt #0 __curthread () at ./machine/pcpu.h:232 #1 doadump (textdump=3D1) at /usr/src/sys/kern/kern_shutdown.c:318 #2 0xffffffff80a8bdd6 in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:386 #3 0xffffffff80a8c2c6 in vpanic (fmt=3D<optimized out>, ap=3D0xfffffe104a3= da530) at /usr/src/sys/kern/kern_shutdown.c:779 #4 0xffffffff80a8c0e3 in panic (fmt=3D<unavailable>) at /usr/src/sys/kern/kern_shutdown.c:710 #5 0xffffffff80f1376d in trap_fatal (frame=3D0xfffffe104a3da7d0, eva=3D816= ) at /usr/src/sys/amd64/amd64/trap.c:799 #6 0xffffffff80f137c9 in trap_pfault (frame=3D0xfffffe104a3da7d0, usermode= =3D0) at /usr/src/sys/amd64/amd64/trap.c:653 #7 0xffffffff80f13019 in trap (frame=3D0xfffffe104a3da7d0) at /usr/src/sys/amd64/amd64/trap.c:420 #8 <signal handler called> #9 nd6_llinfo_timer (arg=3D0xfffff808285af000) at /usr/src/sys/netinet6/nd6.c:781 #10 0xffffffff80aa44af in softclock_call_cc (c=3D<optimized out>, cc=3D0xffffffff81dbff80 <cc_cpu>, direct=3D<optimized out>) at /usr/src/sys/kern/kern_timeout.c:729 #11 0xffffffff80aa49d9 in softclock (arg=3D0xffffffff81dbff80 <cc_cpu>) at /usr/src/sys/kern/kern_timeout.c:867 #12 0xffffffff80a50d4c in intr_event_execute_handlers (p=3D<optimized out>, ie=3D0xfffff8000b60d000) at /usr/src/sys/kern/kern_intr.c:1336 #13 0xffffffff80a51416 in ithread_execute_handlers (ie=3D<optimized out>, p=3D<optimized out>) at /usr/src/sys/kern/kern_intr.c:1349 #14 ithread_loop (arg=3D0xfffff8000b54b980) at /usr/src/sys/kern/kern_intr.= c:1430 #15 0xffffffff80a4e095 in fork_exit (callout=3D0xffffffff80a51340 <ithread_= loop>, arg=3D0xfffff8000b54b980, frame=3D0xfffffe104a3daac0) at /usr/src/sys/kern/kern_fork.c:1038 #16 <signal handler called> (kgdb) f 9 #9 nd6_llinfo_timer (arg=3D0xfffff808285af000) at /usr/src/sys/netinet6/nd6.c:781 781 /usr/src/sys/netinet6/nd6.c: No such file or directory. (kgdb) i lo ln =3D 0xfffff808285af000 ifp =3D 0x0 ndi =3D <optimized out> send_ns =3D <optimized out> pdst =3D <optimized out> delay =3D <optimized out> do_switch =3D <optimized out> src =3D <optimized out> psrc =3D <optimized out> (kgdb) p *ln $1 =3D {lle_next =3D {le_next =3D 0xfffff8054ff07200, le_prev =3D 0xfffff80= 408aa8e70}, r_l3addr =3D {addr4 =3D {s_addr =3D 3087401514}, addr6 =3D {__u6_addr =3D { __u6_addr8 =3D "*\002\006\270\000\000\032\001\230\370\036\370\203\253\036X", __u6_addr16 = =3D {554, 47110, 0, 282, 63640, 63518, 43907, 22558}, __u6_addr32 =3D { 3087401514, 18481152, 4162779288, 1478404995}}}}, r_linkdata =3D "\000%\220\353\223|$\212\a\021P\204\206\335\000\000\000\000\000\000\000\000= \000",=20 r_hdrlen =3D 14 '\016', spare0 =3D "\000\000", r_flags =3D 1, r_skip_req = =3D 1, lle_tbl =3D 0xfffff80cfead8e00, lle_head =3D 0xfffff80408aa8e70,=20 lle_free =3D 0xffffffff80ca8af0 <in6_lltable_destroy_lle>, la_hold =3D 0x= 0, la_numheld =3D 0, la_expire =3D 1628209, la_flags =3D 8, la_asked =3D 0, la= _preempt =3D 0,=20 ln_state =3D 2, ln_router =3D 0, ln_ntick =3D 0, lle_remtime =3D 85985000, lle_hittime =3D 0, lle_refcnt =3D 1, ll_addr =3D 0xfffff808285af020 "", lle= _chain =3D { le_next =3D 0xfffff80408951a00, le_prev =3D 0xfffff80e9100d6a8}, lle_ti= mer =3D {c_links =3D {le =3D {le_next =3D 0x0, le_prev =3D 0xffffffff81dc0058 <cc_c= pu+216>}, sle =3D { sle_next =3D 0x0}, tqe =3D {tqe_next =3D 0x0, tqe_prev =3D 0xffffff= ff81dc0058 <cc_cpu+216>}}, c_time =3D 6993108294966657, c_precision =3D 1342177187,=20 c_arg =3D 0xfffff808285af000, c_func =3D 0xffffffff80cc3bf0 <nd6_llinfo= _timer>, c_lock =3D 0x0, c_flags =3D 2, c_iflags =3D 144, c_cpu =3D 0}, lle_lock =3D= {lock_object =3D { lo_name =3D 0xffffffff81493c80 "lle", lo_flags =3D 90374144, lo_data = =3D 0, lo_witness =3D 0x0}, rw_lock =3D 18446735277807501312}, req_mtx =3D {lock_o= bject =3D { lo_name =3D 0xffffffff81493c84 "lle req", lo_flags =3D 16973824, lo_d= ata =3D 0, lo_witness =3D 0x0}, mtx_lock =3D 4}} (kgdb) p ln->lle_timer $2 =3D {c_links =3D {le =3D {le_next =3D 0x0, le_prev =3D 0xffffffff81dc0058 <cc_cpu+216>}, sle =3D {sle_next =3D 0x0}, tqe =3D {tqe_next =3D 0x0,=20 tqe_prev =3D 0xffffffff81dc0058 <cc_cpu+216>}}, c_time =3D 6993108294= 966657, c_precision =3D 1342177187, c_arg =3D 0xfffff808285af000,=20 c_func =3D 0xffffffff80cc3bf0 <nd6_llinfo_timer>, c_lock =3D 0x0, c_flags= =3D 2, c_iflags =3D 144, c_cpu =3D 0} (kgdb) p &((((struct ifnet *)0)->if_afdata[28])->nd_ifinfo) Cannot access memory at address 0x330 The system doesn't have VIMAGE in the kernel, with this option I think it w= ill crash in the CURVNET_SET() 752 KASSERT(arg !=3D NULL, ("%s: arg NULL", __func__)); 753 ln =3D (struct llentry *)arg; 754 ifp =3D lltable_get_ifp(ln->lle_tbl); 755 CURVNET_SET(ifp->if_vnet); 756=20 757 ND6_RLOCK(); 758 LLE_WLOCK(ln); 759 if (callout_pending(&ln->lle_timer)) {=20 760 /* 761 * Here we are a bit odd here in the treatment of=20 .... 779 return;=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20 780 } 781 ndi =3D ND_IFINFO(ifp); I think this happens when lltable_free() calls callout_stop() for already active callout, and then llentry_free() releases LLE_WLOCK() via LLE_FREE_LOCKED(). --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-225927-8>