[Bug 221849] Kernel panic, kqueue related NULL pointer dereference sys/kern/kern_event.c

Sun, 27 Aug 2017 02:37:55 -0700 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221849

            Bug ID: 221849
           Summary: Kernel panic, kqueue related NULL pointer dereference
                    sys/kern/kern_event.c
           Product: Base System
           Version: 11.1-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: ara...@phat.za.net

I've stumbled upon a consistently reproducible panic with a GENERIC kernel on
11.1-RELEASE.  For me it happens every time I try connect my Android device to
the L2TP/IPSec (racoon+mpd) server running on the system in question.  I don't
know what's special about the Android VPN client, so I guess this panic might
occur under other conditions too (other VPN clients don't trigger this).

kern_kqueue() in sys/kern/kern_event.c:827 gets passed a struct thread pointer,
and member td_ucred->cr_ruidinfo (null pointer) gets passed to chgkqcnt() in
sys/kern/kern_resource.c:1430, which eventually gets dereferenced by
atomic_fetchadd_long in sys/amd64/include/atomic.h.


Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x50
fault code              = supervisor write data, page not present
instruction pointer     = 0x20:0xffffffff80a65f95
stack pointer           = 0x28:0xfffffe004f1258c0
frame pointer           = 0x28:0xfffffe004f1258d0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 816 (sshd)
trap number             = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff80aada97 at kdb_backtrace+0x67
#1 0xffffffff80a6bb76 at vpanic+0x186
#2 0xffffffff80a6b9e3 at panic+0x43
#3 0xffffffff80edf832 at trap_fatal+0x322
#4 0xffffffff80edf889 at trap_pfault+0x49
#5 0xffffffff80edf0c6 at trap+0x286
#6 0xffffffff80ec3641 at calltrap+0x8
#7 0xffffffff80a21fbc at kern_kqueue+0x4c
#8 0xffffffff80ee0394 at amd64_syscall+0x6c4
#9 0xffffffff80ec392b at Xfast_syscall+0xfb
Uptime: 6m56s
Dumping 122 out of 991 MB:..14%..27%..40%..53%..66%..79%..92%

Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from
/usr/lib/debug//boot/kernel/ng_socket.ko.debug...done.
done.
Loaded symbols for /boot/kernel/ng_socket.ko
Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from
/usr/lib/debug//boot/kernel/netgraph.ko.debug...done.
done.
Loaded symbols for /boot/kernel/netgraph.ko
Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from
/usr/lib/debug//boot/kernel/ng_mppc.ko.debug...done.
done.
Loaded symbols for /boot/kernel/ng_mppc.ko
Reading symbols from /boot/kernel/rc4.ko...Reading symbols from
/usr/lib/debug//boot/kernel/rc4.ko.debug...done.
done.
Loaded symbols for /boot/kernel/rc4.ko
#0  doadump (textdump=<value optimized out>) at pcpu.h:222
222             __asm("movq %%gs:%1,%0" : "=r" (td)
(kgdb) list *0xffffffff80a65f95
0xffffffff80a65f95 is in chgkqcnt (atomic.h:263).
258      */
259     static __inline u_long
260     atomic_fetchadd_long(volatile u_long *p, u_long v)
261     {
262
263             __asm __volatile(
264             "       " MPLOCKED "            "
265             "       xaddq   %0,%1 ;         "
266             "# atomic_fetchadd_long"
267             : "+r" (v),                     /* 0 */
Current language:  auto; currently minimal
(kgdb) backtrace
#0  doadump (textdump=<value optimized out>) at pcpu.h:222
#1  0xffffffff80a6b6f1 in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:366
#2  0xffffffff80a6bbb0 in vpanic (fmt=<value optimized out>, ap=<value
optimized out>) at /usr/src/sys/kern/kern_shutdown.c:759
#3  0xffffffff80a6b9e3 in panic (fmt=<value optimized out>) at
/usr/src/sys/kern/kern_shutdown.c:690
#4  0xffffffff80edf832 in trap_fatal (frame=0xfffffe004f125800, eva=80) at
/usr/src/sys/amd64/amd64/trap.c:801
#5  0xffffffff80edf889 in trap_pfault (frame=0xfffffe004f125800, usermode=0) at
pcpu.h:222
#6  0xffffffff80edf0c6 in trap (frame=0xfffffe004f125800) at
/usr/src/sys/amd64/amd64/trap.c:421
#7  0xffffffff80ec3641 in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:236
#8  0xffffffff80a65f95 in chgkqcnt (uip=0x0, diff=1, max=9223372036854775807)
at atomic.h:263
#9  0xffffffff80a21fbc in kern_kqueue (td=0xfffff80003e6a000, flags=0,
fcaps=0x0) at /usr/src/sys/kern/kern_event.c:837
#10 0xffffffff80ee0394 in amd64_syscall (td=0xfffff80003e6a000, traced=0) at
subr_syscall.c:135
#11 0xffffffff80ec392b in Xfast_syscall () at
/usr/src/sys/amd64/amd64/exception.S:396
#12 0x00000008021aae9a in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 9
#9  0xffffffff80a21fbc in kern_kqueue (td=0xfffff80003e6a000, flags=0,
fcaps=0x0) at /usr/src/sys/kern/kern_event.c:837
837             if (!chgkqcnt(cred->cr_ruidinfo, 1, lim_cur(td,
RLIMIT_KQUEUES)))
(kgdb) list
832             struct ucred *cred;
833             int fd, error;
834
835             fdp = td->td_proc->p_fd;
836             cred = td->td_ucred;
837             if (!chgkqcnt(cred->cr_ruidinfo, 1, lim_cur(td,
RLIMIT_KQUEUES)))
838                     return (ENOMEM);
839
840             error = falloc_caps(td, &fp, &fd, flags, fcaps);
841             if (error != 0) {
(kgdb) print *cred
$1 = {cr_ref = 2168608751, cr_uid = 4294967295, cr_ruid = 21168128, cr_svuid =
0, cr_ngroups = 0, cr_rgid = 0, cr_svgid = 4, 
  cr_uidinfo = 0x0, cr_ruidinfo = 0x0, cr_prison = 0xfffff8002676b4b0,
cr_loginclass = 0xfffff80003945280, cr_flags = 60052120, 
  cr_pspare2 = 0xfffff80003640448, cr_label = 0x0, cr_audit = {ai_auid = 0,
ai_mask = {am_success = 0, am_failure = 2158116784}, 
    ai_termid = {at_port = 4294967295, at_type = 2158116848, at_addr =
0xfffff80003640474}, ai_asid = -1, 
    ai_flags = 18446735277673415680}, cr_groups = 0x0, cr_agroups = 0,
cr_smallgroups = 0xfffff8000364049c}

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

Reply via email to