Bug 236356 - Kernel panic after disconnect pptp client...
Summary: Kernel panic after disconnect pptp client...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 12.0-STABLE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
Keywords: panic
Depends on:
Reported: 2019-03-07 10:10 UTC by Sergey Anokhin
Modified: 2019-03-19 12:29 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Sergey Anokhin 2019-03-07 10:10:19 UTC
Hi All,

FreeBSD version:
FreeBSD server.5034.ru 12.0-STABLE FreeBSD 12.0-STABLE #2 r343904M:

Kernel panic after disconnect pptp client (client was connected via mpd5):

# kgdb /boot/kernel/kernel /var/crash/vmcore.last
GNU gdb (GDB) 8.2.1 [GDB v8.2.1 for FreeBSD]
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd12.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /boot/kernel/kernel...Reading symbols from /usr/lib/debug//boot/kernel/kernel.debug...done.

Unread portion of the kernel message buffer:
frame pointer           = 0x28:0xfffffe0050180600
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 985 (mpd5)
trap number             = 12
panic: page fault
cpuid = 2
time = 1551948804
KDB: stack backtrace:
#0 0xffffffff80c531c7 at kdb_backtrace+0x67
#1 0xffffffff80c07143 at vpanic+0x1a3
#2 0xffffffff80c06f93 at panic+0x43
#3 0xffffffff8118d9ff at trap_fatal+0x35f
#4 0xffffffff8118da59 at trap_pfault+0x49
#5 0xffffffff8118d07e at trap+0x29e
#6 0xffffffff81168af5 at calltrap+0x8
#7 0xffffffff80dafecf at in_ifdetach+0x6f
#8 0xffffffff80d0af5d at if_detach_internal+0x8ed
#9 0xffffffff80d0a65e at if_detach+0x2e
#10 0xffffffff80d8e1f3 at ng_iface_shutdown+0x43
#11 0xffffffff80d87255 at ng_rmnode+0x1e5
#12 0xffffffff80d89581 at ng_apply_item+0x421
#13 0xffffffff80d88f10 at ng_snd_item+0x130
#14 0xffffffff80da248c at ngc_send+0x19c
#15 0xffffffff80c9de16 at sosend_generic+0x586
#16 0xffffffff80c9e120 at sosend+0x50
#17 0xffffffff80ca4f17 at kern_sendit+0x237
Uptime: 1d14h48m43s
Dumping 1005 out of 8077 MB:..2%..12%..21%..31%..42%..51%..61%..71%..82%..91%

__curthread () at ./machine/pcpu.h:230
230             __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (OFFSETOF_CURTHREAD));
(kgdb) bt
#0  __curthread () at ./machine/pcpu.h:230
#1  doadump (textdump=<optimized out>) at /usr/src/sys/kern/kern_shutdown.c:366
#2  0xffffffff80c06d2b in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:446
#3  0xffffffff80c071a3 in vpanic (fmt=<optimized out>, ap=0xfffffe0050180310) at /usr/src/sys/kern/kern_shutdown.c:872
#4  0xffffffff80c06f93 in panic (fmt=<unavailable>) at /usr/src/sys/kern/kern_shutdown.c:799
#5  0xffffffff8118d9ff in trap_fatal (frame=0xfffffe0050180500, eva=24) at /usr/src/sys/amd64/amd64/trap.c:929
#6  0xffffffff8118da59 in trap_pfault (frame=0xfffffe0050180500, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:765
#7  0xffffffff8118d07e in trap (frame=0xfffffe0050180500) at /usr/src/sys/amd64/amd64/trap.c:441
#8  <signal handler called>
#9  0xffffffff80dbb7c8 in in_pcbpurgeif0 (pcbinfo=<optimized out>, ifp=0xfffff80165986800) at /usr/src/sys/netinet/in_pcb.c:1804
#10 0xffffffff80dafecf in in_ifdetach (ifp=0xfffff80165986800) at /usr/src/sys/netinet/in.c:1002
#11 0xffffffff80d0af5d in if_detach_internal (ifp=<optimized out>, vmove=0, ifcp=0x0) at /usr/src/sys/net/if.c:1160
#12 0xffffffff80d0a65e in if_detach (ifp=0x0) at /usr/src/sys/net/if.c:1039
#13 0xffffffff80d8e1f3 in ng_iface_shutdown (node=0xfffff80124360d00) at /usr/src/sys/netgraph/ng_iface.c:743
#14 0xffffffff80d87255 in ng_rmnode (node=0xfffff80124360d00, dummy1=<optimized out>, dummy2=<optimized out>, dummy3=<optimized out>)
    at /usr/src/sys/netgraph/ng_base.c:757
#15 0xffffffff80d89581 in ng_generic_msg (here=0xfffff80124360d00, item=<optimized out>, lasthook=<optimized out>) at /usr/src/sys/netgraph/ng_base.c:2523
#16 ng_apply_item (node=0xfffff80124360d00, item=0xfffff80228799c80, rw=1) at /usr/src/sys/netgraph/ng_base.c:2437
#17 0xffffffff80d88f10 in ng_snd_item (item=0xfffff80228799c80, flags=0) at /usr/src/sys/netgraph/ng_base.c:2320
#18 0xffffffff80da248c in ngc_send (so=<optimized out>, flags=<optimized out>, m=0xfffff801cac0f000, addr=<optimized out>, control=<optimized out>, td=<optimized out>)
    at /usr/src/sys/netgraph/ng_socket.c:338
#19 0xffffffff80c9de16 in sosend_generic (so=0xfffff8002b8bf6d0, addr=0xfffff8017d9d5f70, uio=0xfffffe0050180988, top=0xfffff801cac0f000, control=0x2363, flags=0,
    td=0xfffff8002bc14580) at /usr/src/sys/kern/uipc_socket.c:1582
#20 0xffffffff80c9e120 in sosend (so=0x0, addr=0xfffff80165986800, uio=0xfffff8002bc14580, top=0x1, control=0x0, flags=-2008371993, td=0xfffff8002bc14580)
    at /usr/src/sys/kern/uipc_socket.c:1628
#21 0xffffffff80ca4f17 in kern_sendit (td=0xfffff8002bc14580, s=5, mp=<optimized out>, flags=0, control=0x0, segflg=UIO_USERSPACE)
    at /usr/src/sys/kern/uipc_syscalls.c:796
#22 0xffffffff80ca528e in sendit (td=0xfffff8002bc14580, s=5, mp=0xfffffe0050180a70, flags=0) at /usr/src/sys/kern/uipc_syscalls.c:721
#23 0xffffffff80ca50dd in sys_sendto (td=0x0, uap=<optimized out>) at /usr/src/sys/kern/uipc_syscalls.c:838
#24 0xffffffff8118e592 in syscallenter (td=<optimized out>) at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:135
#25 amd64_syscall (td=0xfffff8002bc14580, traced=0) at /usr/src/sys/amd64/amd64/trap.c:1154
#26 <signal handler called>
#27 0x000000080091a64a in ?? ()
Backtrace stopped: Cannot access memory at address 0x7fffdfffd6f8
(kgdb) frame 8
#8  <signal handler called>
(kgdb) frame 9
#9  0xffffffff80dbb7c8 in in_pcbpurgeif0 (pcbinfo=<optimized out>, ifp=0xfffff80165986800) at /usr/src/sys/netinet/in_pcb.c:1804
1804                                    if (imo->imo_membership[i]->inm_ifp == ifp) {
(kgdb) frame 10
#10 0xffffffff80dafecf in in_ifdetach (ifp=0xfffff80165986800) at /usr/src/sys/netinet/in.c:1002
1002            in_pcbpurgeif0(&V_udbinfo, ifp);
(kgdb) frame 11
#11 0xffffffff80d0af5d in if_detach_internal (ifp=<optimized out>, vmove=0, ifcp=0x0) at /usr/src/sys/net/if.c:1160
1160            in_ifdetach(ifp);
Comment 1 Sergey Anokhin 2019-03-17 09:08:23 UTC
Hi All,

THe bug don't reproduced on r344923. Tested.

Comment 2 Eugene Grosbein freebsd_committer 2019-03-19 12:29:45 UTC
Closed as submitter reports this does not reproduce in recent revision.