Bug 245870

Summary: panic during startup of squid inside jail
Product: Base System Reporter: Thomas von Dein <freebsd>
Component: kernAssignee: Mark Johnston <markj>
Status: Closed FIXED    
Severity: Affects Only Me CC: markj
Priority: ---    
Version: 12.1-STABLE   
Hardware: Any   
OS: Any   

Description Thomas von Dein 2020-04-24 11:41:40 UTC
On a newly installed machine, starting squid in a jail leads to kernel panic:

setfib 0 /usr/bin/env -i 'TERM=screen' 'HOME=/root' 'PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin' /usr/sbin/jail -l -u root -J /var/run/bwproxy1.jid /nfs/bfwproxy1/chroot IBD-SRV2237 172.17.149.32 /usr/local/etc/rc.d/squid start

This leads directly to a panic. After reboot, I got this backtrace:

root@ibd-srv2237: # kgdb /boot/kernel/kernel /localdisk/vmcore.0
GNU gdb (GDB) 9.1 [GDB v9.1 for FreeBSD]
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd12.1".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /boot/kernel/kernel...
Reading symbols from /usr/lib/debug//boot/kernel/kernel.debug...

Unread portion of the kernel message buffer:
panic: vm_fault_hold: fault on nofault entry, addr: 0xffffffff826e3000
cpuid = 4
time = 1587723711
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00005d1ec0
vpanic() at vpanic+0x19d/frame 0xfffffe00005d1f10
panic() at panic+0x43/frame 0xfffffe00005d1f70
vm_fault_hold() at vm_fault_hold+0x26b9/frame 0xfffffe00005d20c0
vm_fault() at vm_fault+0x60/frame 0xfffffe00005d2100
trap_pfault() at trap_pfault+0x164/frame 0xfffffe00005d2160
trap() at trap+0x29f/frame 0xfffffe00005d2270
calltrap() at calltrap+0x8/frame 0xfffffe00005d2270
--- trap 0xc, rip = 0xffffffff826e3000, rsp = 0xfffffe00005d2348, rbp = 0xfffffe00005d2380 ---
_end() at 0xffffffff826e3000/frame 0xfffffe00005d2380
tcp_do_segment() at tcp_do_segment+0x1685/frame 0xfffffe00005d2470
tcp_input() at tcp_input+0xdc1/frame 0xfffffe00005d25e0
ip_input() at ip_input+0x13b/frame 0xfffffe00005d2690
netisr_dispatch_src() at netisr_dispatch_src+0xcf/frame 0xfffffe00005d26e0
ether_demux() at ether_demux+0x139/frame 0xfffffe00005d2710
ether_nh_input() at ether_nh_input+0x346/frame 0xfffffe00005d2770
netisr_dispatch_src() at netisr_dispatch_src+0xcf/frame 0xfffffe00005d27c0
ether_input() at ether_input+0x4b/frame 0xfffffe00005d27f0
tcp_lro_flush() at tcp_lro_flush+0x228/frame 0xfffffe00005d2810
tcp_lro_rx2() at tcp_lro_rx2+0x627/frame 0xfffffe00005d28b0
iflib_rxeof() at iflib_rxeof+0xa17/frame 0xfffffe00005d29a0
_task_fn_rx() at _task_fn_rx+0x75/frame 0xfffffe00005d29e0
gtaskqueue_run_locked() at gtaskqueue_run_locked+0x144/frame 0xfffffe00005d2a40
gtaskqueue_thread_loop() at gtaskqueue_thread_loop+0x98/frame 0xfffffe00005d2a70
fork_exit() at fork_exit+0x83/frame 0xfffffe00005d2ab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00005d2ab0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
Uptime: 12m31s
Dumping 4570 out of 130908 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%..91%

__curthread () at /usr/src/sys/amd64/include/pcpu.h:234
234             __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (OFFSETOF_CURTHREAD));
(kgdb) bt
#0  __curthread () at /usr/src/sys/amd64/include/pcpu.h:234
#1  doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:371
#2  0xffffffff80c508bd in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:451
#3  0xffffffff80c50d49 in vpanic (fmt=<optimized out>, ap=<optimized out>) at /usr/src/sys/kern/kern_shutdown.c:877
#4  0xffffffff80c50b43 in panic (fmt=<unavailable>) at /usr/src/sys/kern/kern_shutdown.c:804
#5  0xffffffff8101d649 in vm_fault_hold (map=0xfffff81080000000, vaddr=<optimized out>, fault_type=4 '\004', fault_flags=<optimized out>, m_hold=0x0) at /usr/src/sys/vm/vm_fault.c:614
#6  0xffffffff8101af40 in vm_fault (map=0xfffff81080000000, vaddr=<optimized out>, fault_type=4 '\004', fault_flags=0) at /usr/src/sys/vm/vm_fault.c:562
#7  0xffffffff811bc5f4 in trap_pfault (frame=0xfffffe00005d2280, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:846
#8  0xffffffff811bbacf in trap (frame=0xfffffe00005d2280) at /usr/src/sys/amd64/amd64/trap.c:443
#9  <signal handler called>
#10 0xffffffff826e3000 in ?? ()
#11 0xffffffff80cf1ebc in soisconnected (so=0xfffff8108ede7368) at /usr/src/sys/kern/uipc_socket.c:3775
#12 0xffffffff80e82a05 in tcp_do_segment (m=0xfffff81082086500, th=0xfffff8108208657a, so=0xfffff8108ede7368, tp=0xfffff801f23f1000, drop_hdrlen=52, tlen=<optimized out>, iptos=0 '\000')
    at /usr/src/sys/netinet/tcp_input.c:2414
#13 0xffffffff80e80771 in tcp_input (mp=<optimized out>, offp=<optimized out>, proto=<optimized out>) at /usr/src/sys/netinet/tcp_input.c:1395
#14 0xffffffff80df976b in ip_input (m=0x0) at /usr/src/sys/netinet/ip_input.c:828
#15 0xffffffff80d85f6f in netisr_dispatch_src (proto=1, source=<optimized out>, m=0x0) at /usr/src/sys/net/netisr.c:1122
#16 0xffffffff80d63669 in ether_demux (ifp=0xfffff810822e3000, m=0x0) at /usr/src/sys/net/if_ethersubr.c:879
#17 0xffffffff80d648e6 in ether_input_internal (ifp=0xfffff810822e3000, m=0x0) at /usr/src/sys/net/if_ethersubr.c:667
#18 ether_nh_input (m=<optimized out>) at /usr/src/sys/net/if_ethersubr.c:697
#19 0xffffffff80d85f6f in netisr_dispatch_src (proto=5, source=<optimized out>, m=0x0) at /usr/src/sys/net/netisr.c:1122
#20 0xffffffff80d63a7b in ether_input (ifp=0xfffff810822e3000, m=0x0) at /usr/src/sys/net/if_ethersubr.c:787
#21 0xffffffff80e89418 in tcp_lro_flush (lc=0xfffffe00042615a8, le=0xfffffe00face13f0) at /usr/src/sys/netinet/tcp_lro.c:397
#22 0xffffffff80e89e37 in tcp_lro_rx2 (lc=<optimized out>, m=<optimized out>, csum=<optimized out>, use_hash=<optimized out>) at /usr/src/sys/netinet/tcp_lro.c:100
#23 0xffffffff80d826e7 in iflib_rxeof (rxq=<optimized out>, budget=<optimized out>) at /usr/src/sys/net/iflib.c:2829
#24 0xffffffff80d7cb95 in _task_fn_rx (context=0xfffffe0004261580) at /usr/src/sys/net/iflib.c:3775
#25 0xffffffff80c9c854 in gtaskqueue_run_locked (queue=0xfffff81080130e00) at /usr/src/sys/kern/subr_gtaskqueue.c:378
#26 0xffffffff80c9c4b8 in gtaskqueue_thread_loop (arg=<optimized out>) at /usr/src/sys/kern/subr_gtaskqueue.c:559
#27 0xffffffff80c0fe13 in fork_exit (callout=0xffffffff80c9c420 <gtaskqueue_thread_loop>, arg=0xfffffe00043f7068, frame=0xfffffe00005d2ac0) at /usr/src/sys/kern/kern_fork.c:1065
#28 <signal handler called>


Kernel is:

root@ibd-srv2237: # uname -a
FreeBSD IBD-SRV2237 12.1-RELEASE-p1 FreeBSD 12.1-RELEASE-p1 #0 r356505M: Mon Apr  6 11:11:18 CEST 2020     root@build11:/usr/obj/usr/src/amd64.amd64/sys/M2  amd64


Sometimes squids start successfully but the first packet arriving on :3128 leads to the same panic, but most of the time just the startup causes it.
Comment 1 Thomas von Dein 2020-04-28 11:25:27 UTC
After disabling the following kernel options:

# Statically Link in accept filters
options         ACCEPT_FILTER_DATA
options         ACCEPT_FILTER_DNS
options         ACCEPT_FILTER_HTTP

The system works as expected, squid starts up and the server keeps running.
Comment 2 Mark Johnston freebsd_committer freebsd_triage 2020-04-29 15:48:47 UTC
(In reply to Thomas von Dein from comment #0)
From frame 11 could you run:

(kgdb) p *so
(kgdb) p *so->so_listen
(kgdb) p *so->so_listen->sol_accept_filter

?

Based on the fault address, the accf_callback points to unmapped memory, but that's somewhat surprising since you're apparently compiling the accept filters directly into the kernel.  Are there any other accept filters that are being dynamically loaded?
Comment 3 Thomas von Dein 2020-05-04 10:52:42 UTC
(In reply to Mark Johnston from comment #2)

Hello Mark,

> From frame 11 could you run:
>
> (kgdb) p *so
> (kgdb) p *so->so_listen
> (kgdb) p *so->so_listen->sol_accept_filter

Yes:

(kgdb) f 11
#11 0xffffffff80cf1ebc in soisconnected (so=0xfffff8108ede7368) at /usr/src/sys/kern/uipc_socket.c:3775
3775                            ret = head->sol_accept_filter->accf_callback(so,
(kgdb) p *so
$1 = {so_lock = {lock_object = {lo_name = 0xffffffff81386dc0 "socket", lo_flags = 21168128, lo_data = 0, lo_witness = 0x0}, mtx_lock = 18446735281986889184}, so_count = 0, so_rdsel = {si_tdlist = {tqh_first = 0x0, 
      tqh_last = 0x0}, si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0xffffffff80ceb1c0 <so_rdknl_lock>, kl_unlock = 0xffffffff80ceb240 <so_rdknl_unlock>, kl_assert_locked = 0xffffffff80ceb2a0 <so_rdknl_assert_locked>, 
      kl_assert_unlocked = 0xffffffff80ceb2b0 <so_rdknl_assert_unlocked>, kl_lockarg = 0xfffff8108ede7368, kl_autodestroy = 0}, si_mtx = 0x0}, so_wrsel = {si_tdlist = {tqh_first = 0x0, tqh_last = 0x0}, si_note = {kl_list = {
        slh_first = 0x0}, kl_lock = 0xffffffff80ceb2c0 <so_wrknl_lock>, kl_unlock = 0xffffffff80ceb340 <so_wrknl_unlock>, kl_assert_locked = 0xffffffff80ceb3a0 <so_wrknl_assert_locked>, 
      kl_assert_unlocked = 0xffffffff80ceb3b0 <so_wrknl_assert_unlocked>, kl_lockarg = 0xfffff8108ede7368, kl_autodestroy = 0}, si_mtx = 0x0}, so_type = 1, so_options = 4, so_linger = 0, so_state = 259, 
  so_pcb = 0xfffff801f21e7988, so_vnet = 0xfffff81080019b40, so_proto = 0xffffffff81b581b0 <inetsw+192>, so_timeo = 0, so_error = 0, so_sigio = 0x0, so_cred = 0xfffff8012cd3ee00, so_label = 0x0, so_gencnt = 23888, 
  so_emuldata = 0x0, so_dtor = 0x0, osd = {osd_nslots = 0, osd_slots = 0x0, osd_next = {le_next = 0x0, le_prev = 0x0}}, so_fibnum = 0, so_user_cookie = 0, so_ts_clock = 0, so_max_pacing_rate = 0, {{so_rcv = {sb_mtx = {
          lock_object = {lo_name = 0xffffffff813e98c0 "so_rcv", lo_flags = 16973824, lo_data = 0, lo_witness = 0x0}, mtx_lock = 18446735281986889184}, sb_sx = {lock_object = {lo_name = 0xffffffff81435c38 "so_rcv_sx", 
            lo_flags = 36896768, lo_data = 0, lo_witness = 0x0}, sx_lock = 1}, sb_sel = 0xfffff8108ede7390, sb_state = 0, sb_mb = 0x0, sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_sndptr = 0x0, sb_fnrdy = 0x0, sb_sndptroff = 0, 
        sb_acc = 0, sb_ccc = 0, sb_hiwat = 1049740, sb_mbcnt = 0, sb_mcnt = 0, sb_ccnt = 0, sb_mbmax = 8397920, sb_ctl = 0, sb_lowat = 1, sb_timeo = 0, sb_flags = 2080, sb_upcall = 0xffffffff826e3000, sb_upcallarg = 0x0, 
        sb_aiojobq = {tqh_first = 0x0, tqh_last = 0xfffff8108ede7580}, sb_aiotask = {ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0xffffffff80cc7800 <soaio_rcv>, ta_context = 0xfffff8108ede7368}}, 
      so_snd = {sb_mtx = {lock_object = {lo_name = 0xffffffff813fbdb7 "so_snd", lo_flags = 16973824, lo_data = 0, lo_witness = 0x0}, mtx_lock = 0}, sb_sx = {lock_object = {lo_name = 0xffffffff8145a998 "so_snd_sx", 
            lo_flags = 36896768, lo_data = 0, lo_witness = 0x0}, sx_lock = 1}, sb_sel = 0xfffff8108ede73e0, sb_state = 0, sb_mb = 0x0, sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_sndptr = 0x0, sb_fnrdy = 0x0, sb_sndptroff = 0, 
        sb_acc = 0, sb_ccc = 0, sb_hiwat = 1049740, sb_mbcnt = 0, sb_mcnt = 0, sb_ccnt = 0, sb_mbmax = 8397920, sb_ctl = 0, sb_lowat = 2048, sb_timeo = 0, sb_flags = 2048, sb_upcall = 0x0, sb_upcallarg = 0x0, sb_aiojobq = {
          tqh_first = 0x0, tqh_last = 0xfffff8108ede7670}, sb_aiotask = {ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0xffffffff80cc8080 <soaio_snd>, ta_context = 0xfffff8108ede7368}}, so_list = {
        tqe_next = 0x0, tqe_prev = 0xfffff8011cb60828}, so_listen = 0xfffff8011cb606d0, so_qstate = SQ_INCOMP, so_peerlabel = 0x0, so_oobmark = 0}, {sol_incomp = {tqh_first = 0xffffffff813e98c0, tqh_last = 0x1030000}, 
      sol_comp = {tqh_first = 0x0, tqh_last = 0xfffff801047e65e0}, sol_qlen = 2168675384, sol_incqlen = 4294967295, sol_qlimit = 36896768, sol_accept_filter = 0x0, sol_accept_filter_arg = 0x1, 
      sol_accept_filter_str = 0xfffff8108ede7390 "", sol_upcall = 0x0, sol_upcallarg = 0x0, sol_sbrcv_lowat = 0, sol_sbsnd_lowat = 0, sol_sbrcv_hiwat = 0, sol_sbsnd_hiwat = 0, sol_sbrcv_flags = 0, sol_sbsnd_flags = 0, 
      sol_sbrcv_timeo = 0, sol_sbsnd_timeo = 0}}}
(kgdb) p *so->so_listen
$2 = {so_lock = {lock_object = {lo_name = 0xffffffff81386dc0 "socket", lo_flags = 21168128, lo_data = 0, lo_witness = 0x0}, mtx_lock = 18446735281986889184}, so_count = 2, so_rdsel = {si_tdlist = {tqh_first = 0x0, 
      tqh_last = 0x0}, si_note = {kl_list = {slh_first = 0xfffff810a58bd780}, kl_lock = 0xffffffff80ceb1c0 <so_rdknl_lock>, kl_unlock = 0xffffffff80ceb240 <so_rdknl_unlock>, 
      kl_assert_locked = 0xffffffff80ceb2a0 <so_rdknl_assert_locked>, kl_assert_unlocked = 0xffffffff80ceb2b0 <so_rdknl_assert_unlocked>, kl_lockarg = 0xfffff8011cb606d0, kl_autodestroy = 0}, si_mtx = 0x0}, so_wrsel = {
    si_tdlist = {tqh_first = 0x0, tqh_last = 0x0}, si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0xffffffff80ceb2c0 <so_wrknl_lock>, kl_unlock = 0xffffffff80ceb340 <so_wrknl_unlock>, 
      kl_assert_locked = 0xffffffff80ceb3a0 <so_wrknl_assert_locked>, kl_assert_unlocked = 0xffffffff80ceb3b0 <so_wrknl_assert_unlocked>, kl_lockarg = 0xfffff8011cb606d0, kl_autodestroy = 0}, si_mtx = 0x0}, so_type = 1, 
  so_options = 4102, so_linger = 0, so_state = 256, so_pcb = 0xfffff810c0ce07a0, so_vnet = 0xfffff81080019b40, so_proto = 0xffffffff81b581b0 <inetsw+192>, so_timeo = 0, so_error = 0, so_sigio = 0x0, 
  so_cred = 0xfffff8012cd3ee00, so_label = 0x0, so_gencnt = 23864, so_emuldata = 0x0, so_dtor = 0x0, osd = {osd_nslots = 0, osd_slots = 0x0, osd_next = {le_next = 0x0, le_prev = 0x0}}, so_fibnum = 0, so_user_cookie = 0, 
  so_ts_clock = 0, so_max_pacing_rate = 0, {{so_rcv = {sb_mtx = {lock_object = {lo_name = 0xfffff8108ede7368 "\300m8\201\377\377\377\377", lo_flags = 2396944032, lo_data = 4294965264, lo_witness = 0x0}, 
          mtx_lock = 18446735282393188408}, sb_sx = {lock_object = {lo_name = 0x100000000 <error: Cannot access memory at address 0x100000000>, lo_flags = 1024, lo_data = 0, lo_witness = 0xfffff80106739540}, sx_lock = 0}, 
        sb_sel = 0x0, sb_state = 0, sb_mb = 0x0, sb_mbtail = 0x80000000001, sb_lastrecord = 0x10000000100000, sb_sndptr = 0x8000800, sb_fnrdy = 0x0, sb_sndptroff = 0, sb_acc = 0, sb_ccc = 0, sb_hiwat = 0, sb_mbcnt = 0, 
        sb_mcnt = 0, sb_ccnt = 0, sb_mbmax = 0, sb_ctl = 0, sb_lowat = 1, sb_timeo = 0, sb_flags = 2048, sb_upcall = 0x0, sb_upcallarg = 0x0, sb_aiojobq = {tqh_first = 0x0, tqh_last = 0xfffff8011cb608e8}, sb_aiotask = {
          ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0xffffffff80cc7800 <soaio_rcv>, ta_context = 0xfffff8011cb606d0}}, so_snd = {sb_mtx = {lock_object = {lo_name = 0xffffffff813fbdb7 "so_snd", 
            lo_flags = 16908288, lo_data = 0, lo_witness = 0x0}, mtx_lock = 4}, sb_sx = {lock_object = {lo_name = 0xffffffff8145a998 "so_snd_sx", lo_flags = 36831232, lo_data = 0, lo_witness = 0x0}, sx_lock = 6}, 
        sb_sel = 0xfffff8011cb60748, sb_state = 0, sb_mb = 0x0, sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_sndptr = 0x0, sb_fnrdy = 0x0, sb_sndptroff = 0, sb_acc = 0, sb_ccc = 0, sb_hiwat = 0, sb_mbcnt = 0, sb_mcnt = 0, 
        sb_ccnt = 0, sb_mbmax = 0, sb_ctl = 0, sb_lowat = 2048, sb_timeo = 0, sb_flags = 2048, sb_upcall = 0x0, sb_upcallarg = 0x0, sb_aiojobq = {tqh_first = 0x0, tqh_last = 0xfffff8011cb609d8}, sb_aiotask = {ta_link = {
            stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0xffffffff80cc8080 <soaio_snd>, ta_context = 0xfffff8011cb606d0}}, so_list = {tqe_next = 0x0, tqe_prev = 0x0}, so_listen = 0x0, so_qstate = SQ_NONE, 
      so_peerlabel = 0x0, so_oobmark = 0}, {sol_incomp = {tqh_first = 0xfffff8108ede7368, tqh_last = 0xfffff8108ede76a0}, sol_comp = {tqh_first = 0x0, tqh_last = 0xfffff8011cb60838}, sol_qlen = 0, sol_incqlen = 1, 
      sol_qlimit = 1024, sol_accept_filter = 0xfffff80106739540, sol_accept_filter_arg = 0x0, sol_accept_filter_str = 0x0, sol_upcall = 0x0, sol_upcallarg = 0x0, sol_sbrcv_lowat = 1, sol_sbsnd_lowat = 2048, 
      sol_sbrcv_hiwat = 1048576, sol_sbsnd_hiwat = 1048576, sol_sbrcv_flags = 2048, sol_sbsnd_flags = 2048, sol_sbrcv_timeo = 0, sol_sbsnd_timeo = 0}}}
(kgdb) p *so->so_listen->sol_accept_filter
$3 = {accf_name = "httpready\000\000\000\000\000\000", accf_callback = 0xffffffff826e3000, accf_create = 0x0, accf_destroy = 0x0, accf_next = {sle_next = 0x0}}


> Are there any other accept filters that are being dynamically loaded?

I don't really know, it's a standard squid from ports.


Tom
Comment 4 Mark Johnston freebsd_committer freebsd_triage 2020-05-13 15:08:44 UTC
(In reply to Thomas von Dein from comment #3)
Thanks, sorry for the delay.  Could you also show output from

(kgdb) p accf_http_mod
(kgdb) p sohashttpget

?
Comment 5 Thomas von Dein 2020-05-18 10:18:42 UTC
Sorry for the delay. Here's the output:

(kgdb) p accf_http_mod
$4 = {name = 0xffffffff81451a75 "accf_http", evhand = 0xffffffff80cde880 <accept_filt_generic_mod_event>, priv = 0xffffffff81b54168 <accf_http_filter>}
(kgdb) p sohashttpget   
$5 = {int (struct socket *, void *, int)} 0xffffffff80dd87c0 <sohashttpget>


Tom
Comment 6 Mark Johnston freebsd_committer freebsd_triage 2020-05-18 13:42:02 UTC
(In reply to Thomas von Dein from comment #5)
Thanks, I think I can reproduce the problem now.  Did you also have accf_http_load="YES" set in /boot/loader.conf?  That is, were you enabling the httpready filter in both loader.conf and the kernel configuration (with options ACCEPT_FILTER_HTTP)?
Comment 7 Thomas von Dein 2020-05-18 14:59:04 UTC
Indeed, the option is enabled in /boot/loader.conf.
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-05-19 18:36:11 UTC
A commit references this bug:

Author: markj
Date: Tue May 19 18:35:09 UTC 2020
New revision: 361263
URL: https://svnweb.freebsd.org/changeset/base/361263

Log:
  Define a module version for accept filter modules.

  Otherwise accept filters compiled into the kernel do not preempt
  preloaded accept filter modules.  Then, the preloaded file registers its
  accept filter module before the kernel, and the kernel's attempt fails
  since duplicate accept filter list entries are not permitted.  This
  causes the preloaded file's module to be released, since
  module_register_init() does a lookup by name, so the preloaded file is
  unloaded, and the accept filter's callback points to random memory since
  preload_delete_name() unmaps the file on x86 as of r336505.

  Add a new ACCEPT_FILTER_DEFINE macro which wraps the accept filter and
  module definitions, and ensures that a module version is defined.

  PR:		245870
  Reported by:	Thomas von Dein <freebsd@daemon.de>
  MFC after:	2 weeks
  Sponsored by:	The FreeBSD Foundation

Changes:
  head/sys/netinet/accf_data.c
  head/sys/netinet/accf_dns.c
  head/sys/netinet/accf_http.c
  head/sys/sys/socketvar.h
Comment 9 Mark Johnston freebsd_committer freebsd_triage 2020-05-19 18:38:59 UTC
(In reply to Thomas von Dein from comment #7)
With the recent commit, this type of "double" configuration (compiling the filter into the kernel and preloading accf_http.ko at boot time), will no longer cause a kernel panic.  I'll merge it to stable/12 soon.
Comment 10 commit-hook freebsd_committer freebsd_triage 2020-06-02 00:58:34 UTC
A commit references this bug:

Author: markj
Date: Tue Jun  2 00:57:49 UTC 2020
New revision: 361717
URL: https://svnweb.freebsd.org/changeset/base/361717

Log:
  MFC r361263, r361338:
  Define a module version for accept filter modules.

  PR:	245870

Changes:
_U  stable/12/
  stable/12/sys/netinet/accf_data.c
  stable/12/sys/netinet/accf_dns.c
  stable/12/sys/netinet/accf_http.c
  stable/12/sys/sys/socketvar.h
Comment 11 Mark Johnston freebsd_committer freebsd_triage 2020-06-02 00:59:17 UTC
Thanks for the report and for the help with debugging.