Bug 197203

Summary: [VIMAGE] null pointer dereference causing kernel panic
Product: Base System Reporter: Lars Engels <lme>
Component: kernAssignee: freebsd-bugs mailing list <bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: ae, emaste
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   

Description Lars Engels freebsd_committer 2015-01-30 18:28:13 UTC
I'm running 11.0-CURRENT #12 r277858M amd64 with "options VIMAGE" compiled into the kernel.

network related stuff in rc.conf:

cloned_interfaces="bridge0 bridge1 tap0 tap1"
ifconfig_wlan0="WPA DHCP country DE"
ifconfig_em0_ipv6="inet6 accept_rtadv"

The machine boots fine, and all interfaces come up. But when I run "service netif restart" from a running system I get a kernel panic:

Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address   = 0x28
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80ac49c7
stack pointer           = 0x28:0xfffffe04431d67b0
frame pointer           = 0x28:0xfffffe04431d6850
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 0 (thread taskq)
Uptime: 3h55m14s
Dumping 857 out of 16050 MB:..2%..12%..21%..32%..42%..51%..62%..71%..81%..92%

#0  doadump (textdump=Unhandled dwarf expression opcode 0x93
) at pcpu.h:219
219     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) #0  doadump (textdump=Unhandled dwarf expression opcode 0x93
) at pcpu.h:219
#1  0xffffffff809c6c2f in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:448
#2  0xffffffff809c7170 in panic (fmt=<value optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:747
#3  0xffffffff803589b7 in db_panic (addr=<value optimized out>, have_addr=Unhandled dwarf expression opcode 0x93)
    at /usr/src/sys/ddb/db_command.c:473
#4  0xffffffff803585cc in db_command (cmd_table=0x0)
    at /usr/src/sys/ddb/db_command.c:440
#5  0xffffffff80358334 in db_command_loop ()
    at /usr/src/sys/ddb/db_command.c:493
#6  0xffffffff8035aef0 in db_trap (type=<value optimized out>, code=Unhandled dwarf expression opcode 0x93)
    at /usr/src/sys/ddb/db_main.c:251
#7  0xffffffff80a0a40e in kdb_trap (type=Unhandled dwarf expression opcode 0x93) at /usr/src/sys/kern/subr_kdb.c:654
#8  0xffffffff80e3d259 in trap_fatal (frame=0xfffffe04431d6700, 
    eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:856
#9  0xffffffff80e3d5d1 in trap_pfault (frame=0xfffffe04431d6700, 
    usermode=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:678
#10 0xffffffff80e3cc0e in trap (frame=0xfffffe04431d6700)
    at /usr/src/sys/amd64/amd64/trap.c:426
#11 0xffffffff80e1e602 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:235
#12 0xffffffff80ac49c7 in rt_newmaddrmsg (cmd=Unhandled dwarf expression opcode 0x93)
    at /usr/src/sys/net/rtsock.c:1366
#13 0xffffffff80aadf90 in if_addmulti (ifp=0xfffff800065cb000, 
    sa=<value optimized out>, retifma=<value optimized out>)
    at /usr/src/sys/net/if.c:3159
#14 0xffffffff80aed63e in ieee80211_ioctl (ifp=<value optimized out>, 
    cmd=<value optimized out>, data=<value optimized out>)
    at /usr/src/sys/net80211/ieee80211_ioctl.c:3325
#15 0xffffffff80b1f2df in in_leavegroup (inm=0xfffff80205445500, 
    imf=<value optimized out>) at /usr/src/sys/netinet/in_mcast.c:1291
#16 0xffffffff80b2351d in inp_gcmoptions (context=<value optimized out>, 
    pending=<value optimized out>) at /usr/src/sys/netinet/in_mcast.c:1603
#17 0xffffffff80a1b309 in taskqueue_run_locked (queue=0xfffff80006358b00)
    at /usr/src/sys/kern/subr_taskqueue.c:431
#18 0xffffffff80a1c1c8 in taskqueue_thread_loop (arg=<value optimized out>)
    at /usr/src/sys/kern/subr_taskqueue.c:695
#19 0xffffffff8098627a in fork_exit (
    callout=0xffffffff80a1c100 <taskqueue_thread_loop>, 
    arg=0xffffffff8189fde0, frame=0xfffffe04431d6ac0)
    at /usr/src/sys/kern/kern_fork.c:996
#20 0xffffffff80e1eb3e in fork_trampoline ()
    at /usr/src/sys/amd64/amd64/exception.S:610
#21 0x0000000000000000 in ?? ()
Current language:  auto; currently minimal

(kgdb) frame 12
#12 0xffffffff80ac49c7 in rt_newmaddrmsg (cmd=Unhandled dwarf expression opcode 0x93
) at /usr/src/sys/net/rtsock.c:1366
1366		if (V_route_cb.any_count == 0)
(kgdb) p $rip
$1 = (void (*)()) 0xffffffff80ac49c7 <rt_newmaddrmsg+39>
(kgdb) disas *($rip)
Dump of assembler code for function rt_newmaddrmsg:
0xffffffff80ac49a0 <rt_newmaddrmsg+0>:	push   %rbp
0xffffffff80ac49a1 <rt_newmaddrmsg+1>:	mov    %rsp,%rbp
0xffffffff80ac49a4 <rt_newmaddrmsg+4>:	push   %r15
0xffffffff80ac49a6 <rt_newmaddrmsg+6>:	push   %r14
0xffffffff80ac49a8 <rt_newmaddrmsg+8>:	push   %rbx
0xffffffff80ac49a9 <rt_newmaddrmsg+9>:	sub    $0x78,%rsp
0xffffffff80ac49ad <rt_newmaddrmsg+13>:	mov    %rsi,%rbx
0xffffffff80ac49b0 <rt_newmaddrmsg+16>:	mov    %edi,%r14d
0xffffffff80ac49b3 <rt_newmaddrmsg+19>:	mov    0x20(%rbx),%r15
0xffffffff80ac49b7 <rt_newmaddrmsg+23>:	mov    %gs:0x0,%rax
0xffffffff80ac49c0 <rt_newmaddrmsg+32>:	mov    0x440(%rax),%rax
0xffffffff80ac49c7 <rt_newmaddrmsg+39>:	mov    0x28(%rax),%rax
0xffffffff80ac49cb <rt_newmaddrmsg+43>:	cmpl   $0x0,-0x7e9fdc20(%rax)
0xffffffff80ac49d5 <rt_newmaddrmsg+53>:	je     0xffffffff80ac4a52 <rt_newmaddrmsg+178>
0xffffffff80ac49d7 <rt_newmaddrmsg+55>:	lea    -0x88(%rbp),%rdi
0xffffffff80ac49de <rt_newmaddrmsg+62>:	mov    $0x70,%esi
0xffffffff80ac49e3 <rt_newmaddrmsg+67>:	callq  0xffffffff80e3acb0 <bzero>
0xffffffff80ac49e8 <rt_newmaddrmsg+72>:	mov    0x10(%rbx),%rax
0xffffffff80ac49ec <rt_newmaddrmsg+76>:	mov    %rax,-0x58(%rbp)
0xffffffff80ac49f0 <rt_newmaddrmsg+80>:	xor    %eax,%eax
0xffffffff80ac49f2 <rt_newmaddrmsg+82>:	test   %r15,%r15
0xffffffff80ac49f5 <rt_newmaddrmsg+85>:	je     0xffffffff80ac4a01 <rt_newmaddrmsg+97>
0xffffffff80ac49f7 <rt_newmaddrmsg+87>:	mov    0x1d8(%r15),%rax
0xffffffff80ac49fe <rt_newmaddrmsg+94>:	mov    (%rax),%rax
0xffffffff80ac4a01 <rt_newmaddrmsg+97>:	mov    %rax,-0x60(%rbp)
0xffffffff80ac4a05 <rt_newmaddrmsg+101>:	mov    0x18(%rbx),%rax
0xffffffff80ac4a09 <rt_newmaddrmsg+105>:	mov    %rax,-0x78(%rbp)
0xffffffff80ac4a0d <rt_newmaddrmsg+109>:	lea    -0x88(%rbp),%rsi
0xffffffff80ac4a14 <rt_newmaddrmsg+116>:	mov    %r14d,%edi
0xffffffff80ac4a17 <rt_newmaddrmsg+119>:	callq  0xffffffff80ac42e0 <rtsock_msg_mbuf>
0xffffffff80ac4a1c <rt_newmaddrmsg+124>:	test   %rax,%rax
0xffffffff80ac4a1f <rt_newmaddrmsg+127>:	je     0xffffffff80ac4a52 <rt_newmaddrmsg+178>
0xffffffff80ac4a21 <rt_newmaddrmsg+129>:	mov    0x10(%rax),%rcx
0xffffffff80ac4a25 <rt_newmaddrmsg+133>:	mov    0x5c(%r15),%dx
0xffffffff80ac4a2a <rt_newmaddrmsg+138>:	mov    %dx,0xc(%rcx)
0xffffffff80ac4a2e <rt_newmaddrmsg+142>:	mov    -0x88(%rbp),%edx
0xffffffff80ac4a34 <rt_newmaddrmsg+148>:	mov    %edx,0x4(%rcx)
0xffffffff80ac4a37 <rt_newmaddrmsg+151>:	mov    0x10(%rbx),%rcx
0xffffffff80ac4a3b <rt_newmaddrmsg+155>:	test   %rcx,%rcx
0xffffffff80ac4a3e <rt_newmaddrmsg+158>:	je     0xffffffff80ac4a45 <rt_newmaddrmsg+165>
0xffffffff80ac4a40 <rt_newmaddrmsg+160>:	mov    0x1(%rcx),%cl
0xffffffff80ac4a43 <rt_newmaddrmsg+163>:	jmp    0xffffffff80ac4a47 <rt_newmaddrmsg+167>
0xffffffff80ac4a45 <rt_newmaddrmsg+165>:	xor    %ecx,%ecx
0xffffffff80ac4a47 <rt_newmaddrmsg+167>:	movzbl %cl,%esi
---Type <return> to continue, or q <return> to quit---
0xffffffff80ac4a4a <rt_newmaddrmsg+170>:	mov    %rax,%rdi
0xffffffff80ac4a4d <rt_newmaddrmsg+173>:	callq  0xffffffff80ac44a0 <rt_dispatch>
0xffffffff80ac4a52 <rt_newmaddrmsg+178>:	add    $0x78,%rsp
0xffffffff80ac4a56 <rt_newmaddrmsg+182>:	pop    %rbx
0xffffffff80ac4a57 <rt_newmaddrmsg+183>:	pop    %r14
0xffffffff80ac4a59 <rt_newmaddrmsg+185>:	pop    %r15
0xffffffff80ac4a5b <rt_newmaddrmsg+187>:	pop    %rbp
0xffffffff80ac4a5c <rt_newmaddrmsg+188>:	retq   
End of assembler dump.
Comment 1 Andrey V. Elsukov freebsd_committer 2019-02-14 13:23:17 UTC
This panic was due to the lack of VNET context in np_gcmoptions(), should be fixed after r333967.