206613 – dhcpcd 6.10.1 crashes the 10.2-RELEASE kernel.

Bug 206613 - dhcpcd 6.10.1 crashes the 10.2-RELEASE kernel.

Summary: dhcpcd 6.10.1 crashes the 10.2-RELEASE kernel.

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	10.2-RELEASE
Hardware:	amd64 Any

Importance:	Normal Affects Some People
Assignee:	freebsd-bugs (Nobody)

URL:	http://roy.marples.name/projects/dhcp...
Keywords:	crash, needs-patch, needs-qa

Depends on:
Blocks:	206614
	Show dependency tree / graph

Reported:	2016-01-25 15:31 UTC by g_amanakis
Modified:	2016-02-08 01:37 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	koobs: mfc-stable10? koobs: mfc-stable9?

Attachments
dhcpcd.conf (414 bytes, text/plain) 2016-01-26 23:31 UTC, g_amanakis	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description g_amanakis 2016-01-25 15:31:32 UTC

dhcpcd 6.10.1 and more specifically [6b2a5402c4] causes a kernel panic on FreeBSD 10.2 when starting a VNET iocage jail. The system runs a GENERIC kernel with VIMAGE and IPSEC enabled. Reverting this resolves the problem. 

/var/log/messsages:
  3 Jan 24 19:30:42 x3200 kernel: vnet0:1: link state changed to DOWN
  4 Jan 24 19:30:42 x3200 kernel: vnet0: link state changed to DOWN
  5 Jan 24 19:30:42 x3200 kernel: bridge1: link state changed to DOWN
  6 Jan 24 19:30:42 x3200 kernel: ifa_del_loopback_route: deletion failed: 48
  7 Jan 24 19:30:42 x3200 kernel: Freed UMA keg (udp_inpcb) was not empty (60 items).  Lost 6 pages of memory.
  8 Jan 24 19:30:42 x3200 kernel: Freed UMA keg (udpcb) was not empty (668 items).  Lost 4 pages of memory.
  9 Jan 24 19:30:42 x3200 kernel: Freed UMA keg (tcp_inpcb) was not empty (60 items).  Lost 6 pages of memory.
 10 Jan 24 19:30:42 x3200 kernel: Freed UMA keg (tcpcb) was not empty (18 items).  Lost 6 pages of memory.
 11 Jan 24 19:30:42 x3200 kernel: Freed UMA keg (ripcb) was not empty (60 items).  Lost 6 pages of memory.
 12 Jan 24 19:30:42 x3200 kernel: hhook_vnet_uninit: hhook_head type=1, id=1 cleanup required
 13 Jan 24 19:30:42 x3200 kernel: hhook_vnet_uninit: hhook_head type=1, id=0 cleanup required
 14 Jan 24 19:31:05 x3200 devd: Executing '/etc/pccard_ether epair0a start'
 15 Jan 24 19:31:05 x3200 kernel: epair0a:
 16 Jan 24 19:31:05 x3200 kernel:
 17 Jan 24 19:31:05 x3200 kernel: Fatal trap 12: page fault while in kernel mode
 18 Jan 24 19:31:05 x3200 kernel: cpuid = 1; apic id = 02
 19 Jan 24 19:31:05 x3200 kernel: Ethernet address: 02:ff:20:00:09:0a
 20 Jan 24 19:31:05 x3200 kernel: fault virtual address     = 0x0
 21 Jan 24 19:31:05 x3200 kernel: fault code                = supervisor read instruction, page not present
 22 Jan 24 19:31:05 x3200 kernel: instruction pointer       = 0x20:0x0
 23 Jan 24 19:31:05 x3200 kernel: stack pointer             = 0x28:0xfffffe04691ca720
 24 Jan 24 19:31:05 x3200 kernel: frame pointer             = 0x28:0xfffffe04691ca770
 25 Jan 24 19:31:05 x3200 kernel: epair0b: code segment             = base rx0, limit 0xfffff, type 0x1b
 26 Jan 24 19:31:05 x3200 kernel: = DPL 0, pres 1, long 1, def32 0, gran 1
 27 Jan 24 19:31:05 x3200 kernel: Ethernet address: 02:ff:70:00:0a:0b
 28 Jan 24 19:31:05 x3200 kernel: processor eflags  = interrupt enabled,
 29 Jan 24 19:31:05 x3200 kernel: epair0a: link state changed to UP
 30 Jan 24 19:33:13 x3200 syslogd: kernel boot file is /boot/kernel/kernel
 31 Jan 24 19:33:13 x3200 kernel: epair0b: link state changed to UP
 32 Jan 24 19:33:13 x3200 kernel: resume, IOPL = 0
 33 Jan 24 19:33:13 x3200 kernel: current process           = 10817 (dhcpcd)
 34 Jan 24 19:33:13 x3200 kernel: trap number               = 12
 35 Jan 24 19:33:13 x3200 kernel: panic: page fault
 36 Jan 24 19:33:13 x3200 kernel: cpuid = 1
 37 Jan 24 19:33:13 x3200 kernel: KDB: stack backtrace:
 38 Jan 24 19:33:13 x3200 kernel: #0 0xffffffff809442a0 at kdb_backtrace+0x60
 39 Jan 24 19:33:13 x3200 kernel: #1 0xffffffff80907a06 at vpanic+0x126
 40 Jan 24 19:33:13 x3200 kernel: #2 0xffffffff809078d3 at panic+0x43
 41 Jan 24 19:33:13 x3200 kernel: #3 0xffffffff80cd178b at trap_fatal+0x36b
 42 Jan 24 19:33:13 x3200 kernel: #4 0xffffffff80cd1a8d at trap_pfault+0x2ed
 43 Jan 24 19:33:13 x3200 kernel: #5 0xffffffff80cd112a at trap+0x47a
 44 Jan 24 19:33:13 x3200 kernel: #6 0xffffffff80cb74a2 at calltrap+0x8
 45 Jan 24 19:33:13 x3200 kernel: #7 0xffffffff809ca1cb at ifioctl+0x11eb
 46 Jan 24 19:33:13 x3200 kernel: #8 0xffffffff8095c195 at kern_ioctl+0x255
 47 Jan 24 19:33:13 x3200 kernel: #9 0xffffffff8095be90 at sys_ioctl+0x140
 48 Jan 24 19:33:13 x3200 kernel: #10 0xffffffff80cd20a7 at amd64_syscall+0x357
 49 Jan 24 19:33:13 x3200 kernel: #11 0xffffffff80cb778b at Xfast_syscall+0xfb
 50 Jan 24 19:33:13 x3200 kernel: Uptime: 30m59s

See http://roy.marples.name/projects/dhcpcd/tktview?name=3a1e57157d.
Expected behaviour: A userland app should not crash the kernel.

Comment 1 Kubilay Kocak freebsd_committer

2016-01-25 15:49:37 UTC

Add link to dhcpd commit that causes panic.

Comment 2 g_amanakis 2016-01-25 21:40:59 UTC

It suffices to run on the host:
ifconfig epair create
and the kernel panics in presence of dhcpcd. The error produced is exactly the same. This is also run by iocage when VNET jails are started.

Comment 3 g_amanakis 2016-01-26 01:18:25 UTC

I can reproduce this on a GENERIC 10.2-RELEASE kernel by running only "ifconfig epair create".

Comment 4 g_amanakis 2016-01-26 23:30:24 UTC

I tried my dhcpcd.conf configuration on a vanilla usb install of "FreeBSD-10.2-RELEASE-amd64-uefi-memstick.img" and I can reproduce the issue. This was on bare metal hardware.

Comment 5 g_amanakis 2016-01-26 23:31:14 UTC

Created attachment 166164 [details]
dhcpcd.conf

Comment 6 g_amanakis 2016-01-31 20:19:19 UTC

The issue seems resolved in the 10-STABLE kernel (as of r295091).