From owner-freebsd-current@freebsd.org  Tue Jul 12 11:19:18 2016
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E8579B93C4D
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Tue, 12 Jul 2016 11:19:18 +0000 (UTC)
 (envelope-from mizhka@gmail.com)
Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com
 [IPv6:2a00:1450:4010:c07::22a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 6F0721BFC
 for <freebsd-current@freebsd.org>; Tue, 12 Jul 2016 11:19:18 +0000 (UTC)
 (envelope-from mizhka@gmail.com)
Received: by mail-lf0-x22a.google.com with SMTP id q132so10135274lfe.3
 for <freebsd-current@freebsd.org>; Tue, 12 Jul 2016 04:19:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:from:date:message-id:subject:to;
 bh=C/+uMnBTrMyq+H5xvW/DjD/hQJwX6bjkaz4HW2Tv6YY=;
 b=xcpltwH9j08LDWtQ86i2/70k4sDyvhUAvKT7ClqdiqO0pDghlYvuZHfSsB0oA8EjMo
 zBL3xFWItpNyo6NZA5OB1BP+7Bi06zVaqPOeqwNiLnp1f72eeFJsO1Htaarwvg4BHUJf
 t+iHpD/35fW1Fjmr5JvnajlyOp1CpK9kxbQTJZW+CCYY7qNqvWhNVO8AoxslqNO3a8vD
 9dlOGU7fKPn3/ztVMtLoB296xOsoiEYsOzFI/FUqMM4sIPb+OiVMu05An3B7gDKaGdqe
 27Oo4BjXeDEtoUYzkoQxrIpOGgv62CeqEaYX0Yl1F3e4x79+NVnYa8Rjo1mtjImQ21MS
 Myxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=C/+uMnBTrMyq+H5xvW/DjD/hQJwX6bjkaz4HW2Tv6YY=;
 b=DHxfTA9qrT5X/CNtnccb1KmurvZ+UBkXZRKGZDOCODbeqaJEllqlEk3tJKyBYr2aMH
 ainRD0NOsq5TXVUSRC39FSPJfsqgPyn7a6bwN8tHx2t5RshLjj8+18WEeyY1ympRbAgF
 Gd3LkiCrtPg4F6hDHjLPEwt6WIr1yVeAMVF4qt4nYB1e3XNMnybPB8FTeRw0hsYU3O0N
 +pP1sY3+SgZZL2JYOoxTJ3aViXfWLUdDKozbUrrvrcygtVJWFGTfQNklgdyy3+cGSu25
 nIE3buunGJVBftK7nRC9M/yi6yPzEP3Uj/z6BIlo3SvgkPA5XM4H6PQd+hst/6dZkvv+
 v6IA==
X-Gm-Message-State: ALyK8tI6doVU36SQMgAd0MgII0BMFR9UGZRmxI3r+U5+U8eh6H8yvFzGsPumps0/tdM1CKSr7Db8uSMCTytveg==
X-Received: by 10.25.149.13 with SMTP id x13mr779036lfd.199.1468322356480;
 Tue, 12 Jul 2016 04:19:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.149.69 with HTTP; Tue, 12 Jul 2016 04:19:15 -0700 (PDT)
From: Michael Zhilin <mizhka@gmail.com>
Date: Tue, 12 Jul 2016 14:19:15 +0300
Message-ID: <CAF19XBLTDjSkAfSE-WfZUH6N6pJK0h2VC-1Wy35wL3HJHMg-tw@mail.gmail.com>
Subject: [panic] ng_uncallout with NULL callout argument
To: freebsd-current@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.22
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 11:19:19 -0000

Hi,
I've switched from 10 to head recently. Most of functionalities works
fine except few panics.
The most frequent panic happens when I unplug ethernet cable with
active PPTP VPN connection.

uname -a:
FreeBSD gidrarium 12.0-CURRENT FreeBSD 12.0-CURRENT #1: Sat Jul  9
17:28:38 MSK 2016
jenkins@gidrarium:/builds/FreeBSD-src-head/obj/builds/FreeBSD-src-head/sys/GENERIC
 amd64

Test case:
 - use wired ethernet connection
 - establish PPTP connection using mpd5
 - unplug ethernet cable (=> panic)

db> bt
Tracing pid 902 tid 100675 td 0xfffff800169a1000
ng_uncallout() at ng_uncallout+0x3d/frame 0xfffffe04530b3580
ng_pptpgre_disconnect() at ng_pptpgre_disconnect+0xbb/frame 0xfffff*
ng_destroy_hook() at ng_destroy_hook+0xlfe/frame 8xfffffe84538b35d8
ng_ranode() at ng_ranode+0x75/frame 0xfffffe04538b3618
ng_apply_item() at ng_apply_itea+0x4ca/frame 0xfffffeB4538b36a8
ng_snd_item() at ng_snd_itea+0x3a9/frame 0xfffffeB4538b36e0
ngc_send() at ngc_send+0x21b/frame 0xfffffe04530b3790
sosend_generic() at sosend_generic+0x436/frame 0xfffffe04538b3850
kern_sendit() at kern_sendit+0x21b/frame Bxfffffe04538b390B
sendit() at sendit+0x19f/frame 0xfffffeB4530b3950
sys_sendto() at sys_sendto+0x4d/frame 0xfffffe04530b39a0
amd64_syscall() at amd64_syscall+0x2db/frame 0xfffffe04530b3ab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffeB4530b3abB
--- syscall (133, FreeBSD ELF64, sys_sendto), rip = 0x80253906a, rsp -
0x7fffdfffd72B, rbp - 0x7fffdfffd770

Panic happens due to missing check if item (c->c_arg) is NULL in ng_uncallout:

	item = c->c_arg;
	/* Do an extra check */
	if ((rval > 0) && (c->c_func == &ng_callout_trampoline) &&
	    (NGI_NODE(item) == node)) { /* <<<< NGI_NODE dereferences item,
but it may be NULL */

I suppose that actual root cause may be in upper stack (PPTP?).

Link to bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211031

Best regards,

  Michael