Bug 278171 - Reproducible kernel crash on 14.0-RELEASE and 14.0-STABLE
Summary: Reproducible kernel crash on 14.0-RELEASE and 14.0-STABLE
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 14.0-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: Michael Tuexen
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-04 16:42 UTC by Thomas Dreibholz
Modified: 2024-04-17 14:25 UTC (History)
2 users (show)

See Also:
tuexen: mfc-stable14+

Attachments
PCAP trace of the SCTP communication (3.79 KB, application/vnd.tcpdump.pcap)
2024-04-04 16:42 UTC, Thomas Dreibholz 		no flags Details
/var/crash/info.0 (496 bytes, text/plain)
2024-04-04 16:43 UTC, Thomas Dreibholz 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Dreibholz 2024-04-04 16:42:24 UTC 
Created attachment 249709 [details]
PCAP trace of the SCTP communication

I made some tests with rsplib (https://github.com/dreibh/rsplib) on freshly installed FreeBSD VMs (14.0-RELEASE and 14.0-STABLE) under VirtualBox as well as Proxmox. With the following simple steps, I can reproducibly crash all these systems:

Build:
git clone https://github.com/dreibh/rsplib
cd rsplib
cmake . -DENABLE_QT=OFF
make
cd src
./rspregistrar

In another shell, or on another machine in the same network:
./rspserver
=> crash with reboot

Background:
rspserver finds rspregistrar by its ASAP Announces via UDP. Then, it establishes an SCTP association via SCTP 1-to-many-style socket calls. For the established association to rspregistrar, it calls sctp_peeloff() to get a new socket descriptor. I suspect that something is wrong here with SCTP, leading to the crash.

Attachments:
* A PCAP trace on another machine, where rspregistrar had been started, in order to get a PCAP trace up to the crash.
Comment 1 Thomas Dreibholz 2024-04-04 16:43:08 UTC 
Created attachment 249710 [details]
/var/crash/info.0
Comment 2 Mark Johnston freebsd_committer freebsd_triage 2024-04-04 16:47:22 UTC 
Could you please also provide the core.txt file?
Comment 3 Michael Tuexen freebsd_committer freebsd_triage 2024-04-04 17:00:22 UTC 
Hi Thomas,

thank for testing rsplib on a recent version of FreeBSD. I can reproduce the issue on FreeBSD main. I'll take a look.

Best regards
Michael
Comment 4 Michael Tuexen freebsd_committer freebsd_triage 2024-04-04 21:29:46 UTC 
A patch is under review D44640.
Comment 5 commit-hook freebsd_committer freebsd_triage 2024-04-05 16:22:57 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=681711b77cde2cf3d64dc1e4951ec8287bc4f3e8

commit 681711b77cde2cf3d64dc1e4951ec8287bc4f3e8
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-04-05 16:14:54 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-04-05 16:20:19 +0000

    uipc_socket: handle socket buffer locks in sopeeloff

    PR:                     278171
    Reviewed by:            markj
    Fixes:                  a4fc41423f7d ("sockets: enable protocol specific socket buffers")
    MFC after:              3 days
    Differential Revision:  https://reviews.freebsd.org/D44640

 sys/kern/uipc_socket.c | 4 ++++
 1 file changed, 4 insertions(+)
Comment 6 Thomas Dreibholz 2024-04-10 10:22:21 UTC 
Commit 681711b77cde2cf3d64dc1e4951ec8287bc4f3e8 fixes the issue.
Comment 7 commit-hook freebsd_committer freebsd_triage 2024-04-17 13:59:47 UTC 
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=7a019565ff6dc6efb5c6ab091343740fd6dd0377

commit 7a019565ff6dc6efb5c6ab091343740fd6dd0377
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-04-05 16:14:54 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-04-17 13:58:22 +0000

    uipc_socket: handle socket buffer locks in sopeeloff

    PR:                     278171
    Reviewed by:            markj
    Fixes:                  a4fc41423f7d ("sockets: enable protocol specific socket buffers")
    Differential Revision:  https://reviews.freebsd.org/D44640

    (cherry picked from commit 681711b77cde2cf3d64dc1e4951ec8287bc4f3e8)

 sys/kern/uipc_socket.c | 4 ++++
 1 file changed, 4 insertions(+)