Bug 201371 - panic: negative refcount after dhclient during boot
Summary: panic: negative refcount after dhclient during boot
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: mips Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-06 07:20 UTC by Rink Springer
Modified: 2015-07-10 14:53 UTC (History)
2 users (show)

See Also:

Attachments
Boot log (15.03 KB, text/plain)
2015-07-06 07:20 UTC, Rink Springer 		no flags Details
Kernel configuration file (3.94 KB, text/plain)
2015-07-06 07:20 UTC, Rink Springer 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rink Springer freebsd_committer freebsd_triage 2015-07-06 07:20:02 UTC 
Created attachment 158407 [details]
Boot log

FreeBSD/mips on a RouterStation Pro panics shortly after reboot:

FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 11.0-CURRENT #0 r285099: Sun Jul  5 12:31:47 CEST 2015
    rink@greed.home.rink.nu:/home/rink/freebsd/obj/mips.mips/home/rink/freebsd/head/sys/FRINGE mips
gcc version 4.2.1 20070831 patched [FreeBSD]
[...]
Starting devd.
Additional inet routing options: gateway=YES.
Starting dhclient.
DHCPREQUEST on arge0 to 255.255.255.255 port 67
panic: negative refcount 0x8087ec24
KDB: enter: panic
[ thread pid 11 tid 100027 ]
Stopped at      kdb_enter+0x4c: lui     at,0x8066
db> r
?
KDB: reentering
KDB: stack backtrace:
db_trace_thread+30 (?,?,?,?) ra cc72b51800000018 sp 0 sz 0
db_trace_self+1c (?,?,?,?) ra cc72b53000000018 sp 0 sz 0
80086f30+34 (?,?,?,?) ra cc72b548000001a0 sp 0 sz 0
kdb_backtrace+44 (?,?,?,?) ra cc72b6e800000018 sp 0 sz 0
kdb_reenter+3c (?,?,?,?) ra cc72b70000000018 sp 0 sz 0
db_error+30 (?,?,?,?) ra cc72b71800000018 sp 0 sz 0
db_run_cmd+28 (?,?,?,?) ra cc72b73000000018 sp 0 sz 0
80084204+388 (?,?,?,?) ra cc72b748000000a8 sp 0 sz 0
db_command_loop+70 (?,?,?,?) ra cc72b7f000000018 sp 0 sz 0
80086dc8+f4 (?,?,?,?) ra cc72b808000001a8 sp 0 sz 0
kdb_trap+110 (?,?,?,?) ra cc72b9b000000030 sp 0 sz 0
trap+cfc (?,?,?,?) ra cc72b9e0000000c8 sp 0 sz 0
MipsKernGenException+134 (0,4,80560720,12f) ra cc72baa8000000c8 sp
100000001 sz 1
kdb_enter+4c (?,?,?,?) ra cc72bb7000000018 sp 0 sz 0
vpanic+ec (?,?,?,?) ra cc72bb8800000020 sp 0 sz 0
kassert_panic+78 (?,8087ec24,80c7b470,0) ra cc72bba800000020 sp 1 sz 1
ifa_free+40 (?,?,?,?) ra cc72bbc800000018 sp 0 sz 0
ip_forward+838 (?,?,?,?) ra cc72bbe000000068 sp 0 sz 0
ip_input+ce4 (823baa00,?,?,?) ra cc72bc4800000038 sp 100000000 sz 0
netisr_dispatch_src+134 (?,?,?,?) ra cc72bc8000000040 sp 0 sz 0
netisr_dispatch+14 (?,?,?,?) ra cc72bcc000000018 sp 0 sz 0
ether_demux+254 (?,823baa00,?,?) ra cc72bcd800000028 sp 1 sz 0
80333ffc+530 (823baa00,?,?,?) ra cc72bd0000000030 sp 100000000 sz 0
netisr_dispatch_src+134 (?,?,?,?) ra cc72bd3000000040 sp 0 sz 0
netisr_dispatch+14 (?,?,?,?) ra cc72bd7000000018 sp 0 sz 0
80333b58+54 (?,?,?,?) ra cc72bd8800000020 sp 0 sz 0
804c7948+30c (?,?,?,?) ra cc72bda800000048 sp 0 sz 0
intr_event_execute_handlers+13c (?,?,?,?) ra cc72bdf000000028 sp 0 sz 0
80228a80+c8 (?,?,?,?) ra cc72be1800000040 sp 0 sz 0
fork_exit+b0 (?,?,?,?) ra cc72be5800000028 sp 0 sz 0
fork_trampoline+10 (?,?,?,?) ra cc72be8000000000 sp 0 sz 0
pid 11
db>

Reproduces 100%. I only started getting the panic after 'gateway_enable=YES' in /etc/rc.conf
Comment 1 Rink Springer freebsd_committer freebsd_triage 2015-07-06 07:20:37 UTC 
Created attachment 158408 [details]
Kernel configuration file
Comment 2 Rink Springer freebsd_committer freebsd_triage 2015-07-07 16:09:40 UTC 
It t
Comment 3 Rink Springer freebsd_committer freebsd_triage 2015-07-07 16:10:02 UTC 
It turns out that reverting r285051 fixes the panic and lets the system boot okay.
Comment 4 commit-hook freebsd_committer freebsd_triage 2015-07-09 16:29:34 UTC 
A commit references this bug:

Author: eri
Date: Thu Jul  9 16:28:37 UTC 2015
New revision: 285325
URL: https://svnweb.freebsd.org/changeset/base/285325

Log:
  Correct issue presented in r285051,
  apparently neither clang nor gcc complain about this.
  But clang intis the var to NULL correctly while gcc on at least mips does not.
  Correct the undefined behavior by initializing the variable properly.

  PR:		201371
  Differential Revision:	 https://reviews.freebsd.org/D3036
  Reviewed by:	gnn
  Approved by:	gnn(mentor)

Changes:
  head/sys/netinet/ip_input.c