Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 01 Apr 2025 08:43:21 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 285813] Panic (NULL deref) in arptimer
Message-ID:  <bug-285813-7501-YZpahxpA3Z@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-285813-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-285813-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D285813

--- Comment #2 from Peter Blok <peter.blok@bsd4all.org> ---
Well v has been optimised out, but as far as I can tell lv_rw_owner returns
NULL when RW_LOCK_READ is set. But to reach the call to lv_rw_owner
RW_LOCK_READ has to be unset.

#define lv_rw_wowner(v)                         \
    ((v) & RW_LOCK_READ ? NULL :                    \
     (struct thread *)RW_OWNER((v)))

To me it looks as if another thread got the lock in between the if and the =
call
to lv_rw_owner

(kgdb) bt
#0  __curthread () at /usr/14-stable/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=3D<optimized out>) at
/usr/14-stable/sys/kern/kern_shutdown.c:405
#2  0xffffffff805ebfcb in kern_reboot (howto=3D260) at
/usr/14-stable/sys/kern/kern_shutdown.c:523
#3  0xffffffff805ec4c9 in vpanic (fmt=3D0xffffffff80a03764 "%s",
ap=3Dap@entry=3D0xfffffe00109d6bb0) at /usr/14-stable/sys/kern/kern_shutdow=
n.c:967
#4  0xffffffff805ec303 in panic (fmt=3D<unavailable>) at
/usr/14-stable/sys/kern/kern_shutdown.c:891
#5  0xffffffff809a61af in trap_fatal (frame=3D<optimized out>, eva=3D<optim=
ized
out>) at /usr/14-stable/sys/amd64/amd64/trap.c:986
#6  0xffffffff809a61af in trap_pfault (frame=3D0xfffffe00109d6c30,
usermode=3Dfalse, signo=3D<optimized out>, ucode=3D<optimized out>)
#7  <signal handler called>
#8  __rw_wlock_hard (c=3Dc@entry=3D0xfffff8001bc27d28, v=3D<optimized out>)=
 at
/usr/14-stable/sys/kern/kern_rwlock.c:1005
#9  0xffffffff80748432 in arptimer (arg=3D0xfffff8001bc27c00) at
/usr/14-stable/sys/netinet/if_ether.c:212
#10 0xffffffff8060a249 in softclock_call_cc (c=3D0xfffff8001bc27cd0,
cc=3Dcc@entry=3D0xffffffff81ddd0c0, direct=3Ddirect@entry=3D0)
    at /usr/14-stable/sys/kern/kern_timeout.c:719
#11 0xffffffff8060ba15 in softclock_thread (arg=3Darg@entry=3D0xffffffff81d=
dd0c0)
at /usr/14-stable/sys/kern/kern_timeout.c:858
#12 0xffffffff805a6a41 in fork_exit (callout=3D0xffffffff8060b930
<softclock_thread>, arg=3D0xffffffff81ddd0c0, frame=3D0xfffffe00109d6f40)
    at /usr/14-stable/sys/kern/kern_fork.c:1153
#13 <signal handler called>
#14 0xa5b2b4b2b4a3b4b2 in ?? ()

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-285813-7501-YZpahxpA3Z>