Bug 211031 - [panic] in ng_uncallout when argument is NULL
Summary: [panic] in ng_uncallout when argument is NULL
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: Sean Bruno
URL: https://reviews.freebsd.org/D7209
Keywords: crash, needs-qa, patch
Depends on:
Blocks:
 
Reported: 2016-07-12 10:31 UTC by Michael Zhilin
Modified: 2018-05-15 13:20 UTC (History)
5 users (show)

See Also:
koobs: mfc-stable11?
koobs: mfc-stable10?

Attachments
panic backtrace (340.51 KB, image/jpeg)
2016-07-12 10:31 UTC, Michael Zhilin 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Zhilin freebsd_committer freebsd_triage 2016-07-12 10:31:09 UTC 
Created attachment 172406 [details]
panic backtrace

Hi,

I faced panic error with 11-ALPHA6 and 12-CURRENT when I unplug ethernet cable with active PPTP VPN connection. 

uname -a:
FreeBSD gidrarium 12.0-CURRENT FreeBSD 12.0-CURRENT #1: Sat Jul  9 17:28:38 MSK 2016     jenkins@gidrarium:/builds/FreeBSD-src-head/obj/builds/FreeBSD-src-head/sys/GENERIC  amd64

Test case:
 - use wired ethernet connection
 - establish PPTP connection using mpd5
 - unplug ethernet cable (=> panic)

db> bt
Tracing pid 902 tid 100675 td 0xfffff800169a1000 
ng_uncallout() at ng_uncallout+0x3d/frame 0xfffffe04530b3580
ng_pptpgre_disconnect() at ng_pptpgre_disconnect+0xbb/frame 0xfffff*
ng_destroy_hook() at ng_destroy_hook+0xlfe/frame 8xfffffe84538b35d8 
ng_ranode() at ng_ranode+0x75/frame 0xfffffe04538b3618 
ng_apply_item() at ng_apply_itea+0x4ca/frame 0xfffffeB4538b36a8 
ng_snd_item() at ng_snd_itea+0x3a9/frame 0xfffffeB4538b36e0 
ngc_send() at ngc_send+0x21b/frame 0xfffffe04530b3790 
sosend_generic() at sosend_generic+0x436/frame 0xfffffe04538b3850 
kern_sendit() at kern_sendit+0x21b/frame Bxfffffe04538b390B 
sendit() at sendit+0x19f/frame 0xfffffeB4530b3950 
sys_sendto() at sys_sendto+0x4d/frame 0xfffffe04530b39a0 
amd64_syscall() at amd64_syscall+0x2db/frame 0xfffffe04530b3ab0 
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffeB4530b3abB 
--- syscall (133, FreeBSD ELF64, sys_sendto), rip = 0x80253906a, rsp - 0x7fffdfffd72B, rbp - 0x7fffdfffd770 

Panic happens due to missing check if item (c->c_arg) is NULL in ng_uncallout:

	item = c->c_arg;
	/* Do an extra check */
	if ((rval > 0) && (c->c_func == &ng_callout_trampoline) &&
	    (NGI_NODE(item) == node)) {

I suppose that actual root cause may be in upper stack.
Comment 1 Michael Zhilin freebsd_committer freebsd_triage 2016-07-13 23:18:05 UTC 
Patch: https://reviews.freebsd.org/D7209
At least it works for me.
Comment 2 Dimitry Andric freebsd_committer freebsd_triage 2016-07-19 13:36:47 UTC 
Similar panic here on stable/11 r302854, with a slightly different backtrace:

#0  __curthread () at ./machine/pcpu.h:221
#1  doadump (textdump=<optimized out>) at /home/dim/stable-11/sys/kern/kern_shutdown.c:298
#2  0xffffffff80ae663a in kern_reboot (howto=260) at /home/dim/stable-11/sys/kern/kern_shutdown.c:366
#3  0xffffffff80ae6beb in vpanic (fmt=<optimized out>, ap=0xfffffe04538b3180) at /home/dim/stable-11/sys/kern/kern_shutdown.c:759
#4  0xffffffff80ae6a23 in panic (fmt=<unavailable>) at /home/dim/stable-11/sys/kern/kern_shutdown.c:690
#5  0xffffffff80fb3020 in trap_fatal (frame=0xfffffe04538b3480, eva=16) at /home/dim/stable-11/sys/amd64/amd64/trap.c:841
#6  0xffffffff80fb3213 in trap_pfault (frame=0xfffffe04538b3480, usermode=0) at /home/dim/stable-11/sys/amd64/amd64/trap.c:691
#7  0xffffffff80fb27bd in trap (frame=0xfffffe04538b3480) at /home/dim/stable-11/sys/amd64/amd64/trap.c:442
#8  <signal handler called>
#9  ng_uncallout (c=0xfffff80019f21e60, node=0xfffff80019db3000) at /home/dim/stable-11/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:3817
#10 0xffffffff82fbebbc in ng_pptpgre_reset (hpriv=0xfffff80019f21e00) at /home/dim/stable-11/sys/modules/netgraph/pptpgre/../../../netgraph/ng_pptpgre.c:966
#11 ng_pptpgre_disconnect (hook=<optimized out>) at /home/dim/stable-11/sys/modules/netgraph/pptpgre/../../../netgraph/ng_pptpgre.c:493
#12 0xffffffff82f9f928 in ng_destroy_hook (hook=0xfffff80019e4fe80) at /home/dim/stable-11/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:1219
#13 0xffffffff82f9f635 in ng_rmnode (node=<optimized out>, dummy1=<optimized out>, dummy2=<optimized out>, dummy3=<optimized out>) at /home/dim/stable-11/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:744
#14 0xffffffff82fa1843 in ng_generic_msg (here=0xfffff80019db3000, item=0xfffff801ab2a7e80, lasthook=<optimized out>) at /home/dim/stable-11/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:2523
#15 ng_apply_item (node=0xfffff80019db3000, item=0xfffff801ab2a7e80, rw=1) at /home/dim/stable-11/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:2437
#16 0xffffffff82fa11b3 in ng_snd_item (item=<optimized out>, flags=<optimized out>) at /home/dim/stable-11/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:2320
#17 0xffffffff82f9bc4e in ngc_send (so=<optimized out>, flags=<optimized out>, m=<optimized out>, addr=<optimized out>, control=<optimized out>, td=<optimized out>) at /home/dim/stable-11/sys/modules/netgraph/socket/../../../netgraph/ng_socket.c:338
#18 0xffffffff80b80ea7 in sosend_generic (so=<optimized out>, addr=<optimized out>, uio=<optimized out>, top=<optimized out>, control=<optimized out>, flags=<optimized out>, td=<optimized out>) at /home/dim/stable-11/sys/kern/uipc_socket.c:1359
#19 0xffffffff80b88b7b in kern_sendit (td=<optimized out>, s=<optimized out>, mp=<optimized out>, flags=0, control=0x0, segflg=UIO_USERSPACE) at /home/dim/stable-11/sys/kern/uipc_syscalls.c:848
#20 0xffffffff80b88f7f in sendit (td=0xfffff80019f01500, s=<optimized out>, mp=0xfffffe04538b3960, flags=<optimized out>) at /home/dim/stable-11/sys/kern/uipc_syscalls.c:775
#21 0xffffffff80b88dcd in sys_sendto (td=0x0, uap=<optimized out>) at /home/dim/stable-11/sys/kern/uipc_syscalls.c:899
#22 0xffffffff80fb397e in syscallenter (td=<optimized out>, sa=<optimized out>) at /home/dim/stable-11/sys/amd64/amd64/../../kern/subr_syscall.c:135
#23 amd64_syscall (td=<optimized out>, traced=0) at /home/dim/stable-11/sys/amd64/amd64/trap.c:942
#24 <signal handler called>
#25 0x0000000802518caa in ?? ()
Comment 3 Glen Barber freebsd_committer freebsd_triage 2016-08-08 16:20:16 UTC 
I do not see a corresponding commit to head or stable/11 for this.  Is this still an issue?
Comment 4 Dimitry Andric freebsd_committer freebsd_triage 2016-08-08 18:13:05 UTC 
(In reply to Glen Barber from comment #3)
> I do not see a corresponding commit to head or stable/11 for this.  Is this
> still an issue?

I'm unsure, as I cannot immediately reproduce it anymore.  In https://reviews.freebsd.org/D7209, bz mentioned it might be related to Glebius's recent callout changes, but this was never really investigated.  Since the callout changes were recently cleaned up, this may have fixed this netgraph problem as a side effect?
Comment 5 Eugene Grosbein freebsd_committer freebsd_triage 2017-07-10 10:50:07 UTC 
(In reply to Michael Zhilin from comment #1)

https://reviews.freebsd.org/D7209 seems to be committed to HEAD almost a year ago after 11.0 branched but was never MFC'd.
Comment 6 Eugene Grosbein freebsd_committer freebsd_triage 2017-08-07 09:05:14 UTC 
Please perform MFC for r303848 to stable/11 and stable/10.
Comment 7 commit-hook freebsd_committer freebsd_triage 2018-05-14 22:57:26 UTC 
A commit references this bug:

Author: sbruno
Date: Mon May 14 22:56:42 UTC 2018
New revision: 333615
URL: https://svnweb.freebsd.org/changeset/base/333615

Log:
  MFC r303848

  Repair trivial panic in ng_uncallout.  Fixes bugzilla #211031

  PR:		211031
  Approved by:	re (gjb)

Changes:
_U  stable/11/
  stable/11/sys/netgraph/ng_base.c
Comment 8 commit-hook freebsd_committer freebsd_triage 2018-05-15 13:19:57 UTC 
A commit references this bug:

Author: sbruno
Date: Tue May 15 13:19:00 UTC 2018
New revision: 333629
URL: https://svnweb.freebsd.org/changeset/base/333629

Log:
  MFC r303848

  Repair trivial panic in ng_uncallout.  Fixes bugzilla #211031

  PR:		211031

Changes:
_U  stable/10/
  stable/10/sys/netgraph/ng_base.c
Comment 9 Sean Bruno freebsd_committer freebsd_triage 2018-05-15 13:20:38 UTC 
Allrighty, thanks for the solid bug report.