Bug 241106 - tun/ppp: panic: vm_fault: fault on nofault entry when bringing ppp interface down
Summary: tun/ppp: panic: vm_fault: fault on nofault entry when bringing ppp interface ...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 12.1-RELEASE
Hardware: i386 Any
: --- Affects Some People
Assignee: freebsd-net (Nobody)
Keywords: crash, needs-patch, needs-qa
Depends on:
Blocks: 240700
  Show dependency treegraph
Reported: 2019-10-06 21:02 UTC by lenzi.sergio
Modified: 2019-12-11 16:14 UTC (History)
8 users (show)

See Also:
koobs: mfc-stable12?
koobs: mfc-stable11?

this patch test for null pointer in rtsock.c (1.64 KB, patch)
2019-10-16 20:13 UTC, lenzi.sergio
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description lenzi.sergio 2019-10-06 21:02:47 UTC
system panic
panic: vm_fault: fault on nofault entry, addr: 0

the system reboots, wrote crash files 
all available at http://www.k1.com.br/crash/

in summamy: it breaks at /usr/src/sys/net/rtsock.c:1579

   1578         if (rt->rt_ifp && !(rt->rt_ifp->if_flags & IFF_DYING)) {
   1579                 info.rti_info[RTAX_IFP] = rt->rt_ifp->if_addr->ifa_addr;
   1580                 info.rti_info[RTAX_IFA] = rt->rt_ifa->ifa_addr;
   1581                 if (rt->rt_ifp->if_flags & IFF_POINTOPOINT)
   1582                         info.rti_info[RTAX_BRD] = rt->rt_ifa->ifa_dstaddr;
   1583         }

the pointer to rt->ifp->if_addr is NULL a race condition where the memory was freed by another code in the event of the interface (tun1) on a ppp connection over internet using ipv4 and ppp was brought down.

All files can be seen/download from http://www.k1.com.br/crash
The panic occurs also on the current

Thanks for your attention.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-07 00:21:05 UTC
(In reply to lenzi.sergio from comment #0)

Could you include as an attachment (sanitized, if necessary) the network configuration (rc.conf, etc) that describes the setup that reproduces the issue as mentioned in comment 0 (tun, ppp, ipv4, interface bring down) please
Comment 2 Hans Petter Selasky freebsd_committer 2019-10-07 07:38:27 UTC
I wonder if putting the section in question under EPOCH will help.
Comment 3 lenzi.sergio 2019-10-10 02:27:50 UTC
in the file /usr/src/sys/net/rtsock.c line 1579
for the pointer =>  rt->rt_ifp->if_addr the system does not panic, but any route to the ppp tunX (if_tun) results in a router to the remote ip on the ppp inteface to have no interface and than the system does not assign that address to the tun  ppp interface, reporting -> address already in use..
Comment 4 lenzi.sergio 2019-10-16 20:13:24 UTC
Created attachment 208370 [details]
this patch test for null pointer in rtsock.c

system panics on rtsock.c for the reason that rt->rt_ifp->if_addr have a null pointer. 
It is not clear the reason rt->rt_ifp->if_addr have a null pointer but when 
try to access rt->rt_ifp->if_addr->ifa_addr near line 1578 of rtsock.c the system panics... 

I also insert code of RTSOCK_LOCK/RTSOCK_UNLOCK  on any ioctl call, and since than, the system does not panic any more..

A more study must be done where/why rt->rt_ifp->if_addr comes NULL,  and in that case the colunm Netif from the command: netstat -4rn  either shows "" (nothing)  or "---".  when this happens, the system panics some minutes later...