[Bug 227720] Kernel panic in ppp server

bugzilla-noreply Fri, 30 Nov 2018 01:57:02 -0800

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227720


--- Comment #43 from Franck Rousseau <franck.rouss...@imag.fr> ---
(In reply to Andrey V. Elsukov from comment #42)

This is what I report in bug #230498 at comment #20 and at comment #37 in this
thread. I did it again from a clean SVN repo as you asked to be sure of the
conclusion.

How to crash :
- boot with the new kernel
- ifconfig bge0 192.168.0.2
- ppp server then term, wait for ppp open from client, with local server
address set to the same 192.168.0.2
- connection ok, it pings, then quit
- restart ppp server then term, wait for ppp open from client, after getting
PPp at the prompt, IP config is starting I guess, I get the crash, trying to
access a NULL pointer

In the dump:
(kgdb) bt
#0  doadump (textdump=1) at pcpu.h:229
#1  0xffffffff80b072a0 in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:383
#2  0xffffffff80b076e1 in vpanic (fmt=<value optimized out>, ap=<value
optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:776
#3  0xffffffff80b07523 in panic (fmt=<value optimized out>) at
/usr/src/sys/kern/kern_shutdown.c:707
#4  0xffffffff803aefc7 in db_panic (addr=<value optimized out>,
have_addr=<value optimized out>, 
    count=<value optimized out>, modif=<value optimized out>) at
/usr/src/sys/ddb/db_command.c:499
#5  0xffffffff803ae539 in db_command (cmd_table=<value optimized out>) at
/usr/src/sys/ddb/db_command.c:466
#6  0xffffffff803ae2b4 in db_command_loop () at
/usr/src/sys/ddb/db_command.c:519
#7  0xffffffff803b14ff in db_trap (type=<value optimized out>, code=<value
optimized out>)
    at /usr/src/sys/ddb/db_main.c:248
#8  0xffffffff80b4ed63 in kdb_trap (type=12, code=0, tf=<value optimized out>)
at /usr/src/sys/kern/subr_kdb.c:689
#9  0xffffffff80f99501 in trap_fatal (frame=0xfffffe0467edd320, eva=0) at
/usr/src/sys/amd64/amd64/trap.c:867
#10 0xffffffff80f99609 in trap_pfault (frame=0xfffffe0467edd320, usermode=0) at
pcpu.h:229
#11 0xffffffff80f98dd7 in trap (frame=0xfffffe0467edd320) at
/usr/src/sys/amd64/amd64/trap.c:415
#12 0xffffffff80f78e6c in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:231
#13 0xffffffff80c24da4 in sysctl_dumpentry (rn=0xfffff80008954410,
vw=0xfffffe0467edd690)
    at /usr/src/sys/net/rtsock.c:1559
#14 0xffffffff80c1f990 in rn_walktree (h=<value optimized out>, f=<value
optimized out>, w=<value optimized out>)
    at /usr/src/sys/net/radix.c:1094
#15 0xffffffff80c246fb in sysctl_rtsock (oidp=<value optimized out>,
arg1=<value optimized out>, 
    arg2=<value optimized out>, req=<value optimized out>) at
/usr/src/sys/net/rtsock.c:1917
#16 0xffffffff80b14a6b in sysctl_root_handler_locked (oid=0xffffffff81a690d8,
arg1=0xfffffe0467edd908, arg2=4, 
    req=0xfffffe0467edd840, tracker=0xfffffe0467edd7b8) at
/usr/src/sys/kern/kern_sysctl.c:165
#17 0xffffffff80b142c1 in sysctl_root (arg1=0xfffffe0467edd908, arg2=4) at
/usr/src/sys/kern/kern_sysctl.c:1915
#18 0xffffffff80b147e6 in userland_sysctl (td=<value optimized out>,
name=0xfffffe0467edd900, namelen=6, old=0x0, 
    oldlenp=<value optimized out>, inkernel=<value optimized out>, new=0x0,
newlen=0, retval=0xfffffe0467edd968, 
    flags=0) at /usr/src/sys/kern/kern_sysctl.c:2011
#19 0xffffffff80b1466f in sys___sysctl (td=0xfffff80008837000,
uap=0xfffff80008837538)
    at /usr/src/sys/kern/kern_sysctl.c:1945
#20 0xffffffff80f9a638 in amd64_syscall (td=0xfffff80008837000, traced=0) at
subr_syscall.c:132
#21 0xffffffff80f796bd in fast_syscall_common () at
/usr/src/sys/amd64/amd64/exception.S:479
#22 0x0000000801de047a in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language:  auto; currently minimal
(kgdb) f 13
#13 0xffffffff80c24da4 in sysctl_dumpentry (rn=0xfffff80008954410,
vw=0xfffffe0467edd690)
    at /usr/src/sys/net/rtsock.c:1559
1559                    info.rti_info[RTAX_IFP] =
rt->rt_ifp->if_addr->ifa_addr;
(kgdb) print rt->rt_ifp->if_addr 
$1 = (struct ifaddr *) 0x0
(kgdb) print rt->rt_ifp->if_flags
$2 = 0
(kgdb) print rt->rt_ifp->if_index
$3 = 0
(kgdb) print rt->rt_ifp          
$4 = (struct ifnet *) 0xfffff8002be6c800
(kgdb) print *rt->rt_ifp
$5 = {if_link = {tqe_next = 0xfffff800b0cfe050, tqe_prev = 0xfffff800b0cfe0a0},
if_clones = {le_next = 0x0, 
    le_prev = 0x0}, if_groups = {tqh_first = 0x0, tqh_last = 0x0}, if_alloctype
= 0 '\0', if_softc = 0x0, 
  if_llsoftc = 0x0, if_l2com = 0x0, if_dname = 0x0, if_dunit = 0, if_index = 0,
if_index_reserved = 0, 
  if_xname = 0xfffff8002be6c860 "", if_description = 0x0, if_flags = 0,
if_drv_flags = 0, 
  if_capabilities = -1325336224, if_capenable = -2048, if_linkmib =
0xfffff800b100f9b0, 
  if_linkmiblen = 18446735280583750992, if_refcount = 2967221664, if_type = 0
'\0', if_addrlen = 248 '�', 
  if_hdrlen = 255 '�', if_link_state = 255 '�', if_mtu = 2967221744, if_metric
= 4294965248, 
  if_baudrate = 18446735280583751232, if_hwassist = 18446735280582943280,
if_epoch = -8793126608256, if_lastchange = {
    tv_sec = -8793126608176, tv_usec = 0}, if_snd = {ifq_head = 0x0, ifq_tail =
0x0, ifq_len = 0, ifq_maxlen = 0, 
    ifq_mtx = {lock_object = {lo_name = 0x0, lo_flags = 503152064, lo_data =
4294965252, 
        lo_witness = 0xfffff800053ee3c0}, mtx_lock = 18446735277704537104},
ifq_drv_head = 0xfffff800053ee460, 
    ifq_drv_tail = 0x0, ifq_drv_len = -1326900496, ifq_drv_maxlen = -2048,
altq_type = -1326900416, 
    altq_flags = -2048, altq_disc = 0xfffff800b0cfe320, altq_ifp =
0xfffff800b0cfe370, 
    altq_enqueue = 0xfffff800b0cfe3c0, altq_dequeue = 0xfffff800b0cfe410,
altq_request = 0xfffff800b0dc3870, 
    altq_clfier = 0xfffff800b100f8c0, altq_classify = 0xfffff800b100f910,
altq_tbr = 0x0, altq_cdnr = 0x0}, 
  if_linktask = {ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0,
ta_func = 0xfffff800b100fa00, 
    ta_context = 0x0}, if_addr_lock = {lock_object = {lo_name =
0xfffff800b0b8a1e0 "\200}�\035\004���\220���", 
      lo_flags = 2964890160, lo_data = 4294965248, lo_witness =
0xfffff800b0b8a280}, rw_lock = 18446735280581419728}, 
  if_addrhead = {tqh_first = 0x0, tqh_last = 0xfffff800b1044960}, if_multiaddrs
= {tqh_first = 0x0, tqh_last = 0x0}, 
  if_amcount = 0, if_addr = 0x0, if_broadcastaddr = 0xfffff800b0e91d70
"\200}�\035\004����\033��", if_afdata_lock = {
    lock_object = {lo_name = 0xfffff800b0e91dc0 "\200}�\035\004���p\035��",
lo_flags = 2967222464, 
      lo_data = 4294965248, lo_witness = 0xfffff800b0dc3910}, rw_lock =
18446735280583752032}, 
  if_afdata = 0xfffff8002be6ca08, if_afdata_initialized = -1330076256, if_fib =
4294965248, 
  if_vnet = 0xfffff800b0b8a5f0, if_home_vnet = 0xfffff800b0b8a640, if_vlantrunk
= 0xfffff800b100fe60, 
  if_bpf = 0xfffff800b100feb0, if_pcount = -1325334784, if_bridge =
0xfffff800b100ff50, if_lagg = 0x0, 
  if_pf_kif = 0xfffff800b1072000, if_carp = 0xfffff800b1072050, if_label =
0xfffff800b10720a0, 
  if_netmap = 0xfffff800b0b8a690, if_output = 0xfffff800b0b8a6e0, if_input =
0xfffff800b0b8a730, 
  if_start = 0xfffff800b0f5c280, if_ioctl = 0xfffff800b0f5c2d0, if_init = 0,
if_resolvemulti = 0, 
  if_qflush = 0xfffff800b0cfea00, if_transmit = 0xfffff800b0cfea50, if_reassign
= 0xfffff800b0cfeaa0, 
  if_get_counter = 0xfffff800b0dc3f50, if_requestencap = 0xfffff800b1072320,
if_counters = 0xfffff8002be6cc10, 
  if_hw_tsomax = 2968896528, if_hw_tsomaxsegcount = 4294965248,
if_hw_tsomaxsegsize = 2970036096, 
  if_pspare = 0xfffff8002be6cc80, if_hw_addr = 0xfffff800b0cfebe0, if_pcp = 160
'�', 
  if_bspare = 0xfffff8002be6cca1 "\020��", if_ispare = 0xfffff8002be6cca4}

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

[Bug 227720] Kernel panic in ppp server

Reply via email to