241106 – tun/ppp: panic: vm_fault: fault on nofault entry when bringing ppp interface down

Bug 241106 - tun/ppp: panic: vm_fault: fault on nofault entry when bringing ppp interface down

Summary: tun/ppp: panic: vm_fault: fault on nofault entry when bringing ppp interface ...

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	12.1-RELEASE
Hardware:	i386 Any

Importance:	--- Affects Some People
Assignee:	freebsd-net (Nobody)

URL:
Keywords:	crash, needs-patch, needs-qa

Depends on:
Blocks:	240700
	Show dependency tree / graph

Reported:	2019-10-06 21:02 UTC by lenzi.sergio
Modified:	2024-01-05 06:06 UTC (History)
CC List:	8 users (show)

See Also:

Flags:	grahamperrin: mfc-stable13?

Attachments
this patch test for null pointer in rtsock.c (1.64 KB, patch) 2019-10-16 20:13 UTC, lenzi.sergio	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description lenzi.sergio 2019-10-06 21:02:47 UTC

system panic
panic: vm_fault: fault on nofault entry, addr: 0

the system reboots, wrote crash files 
all available at http://www.k1.com.br/crash/

in summamy: it breaks at /usr/src/sys/net/rtsock.c:1579

   1578         if (rt->rt_ifp && !(rt->rt_ifp->if_flags & IFF_DYING)) {
   1579                 info.rti_info[RTAX_IFP] = rt->rt_ifp->if_addr->ifa_addr;
   1580                 info.rti_info[RTAX_IFA] = rt->rt_ifa->ifa_addr;
   1581                 if (rt->rt_ifp->if_flags & IFF_POINTOPOINT)
   1582                         info.rti_info[RTAX_BRD] = rt->rt_ifa->ifa_dstaddr;
   1583         }

the pointer to rt->ifp->if_addr is NULL a race condition where the memory was freed by another code in the event of the interface (tun1) on a ppp connection over internet using ipv4 and ppp was brought down.

All files can be seen/download from http://www.k1.com.br/crash
The panic occurs also on the current

Thanks for your attention.

Comment 1 Kubilay Kocak freebsd_committer

2019-10-07 00:21:05 UTC

(In reply to lenzi.sergio from comment #0)

Could you include as an attachment (sanitized, if necessary) the network configuration (rc.conf, etc) that describes the setup that reproduces the issue as mentioned in comment 0 (tun, ppp, ipv4, interface bring down) please

Comment 2 Hans Petter Selasky freebsd_committer

2019-10-07 07:38:27 UTC

I wonder if putting the section in question under EPOCH will help.

Comment 3 lenzi.sergio 2019-10-10 02:27:50 UTC

in the file /usr/src/sys/net/rtsock.c line 1579
for the pointer =>  rt->rt_ifp->if_addr the system does not panic, but any route to the ppp tunX (if_tun) results in a router to the remote ip on the ppp inteface to have no interface and than the system does not assign that address to the tun  ppp interface, reporting -> address already in use..

Comment 4 lenzi.sergio 2019-10-16 20:13:24 UTC

Created attachment 208370 [details]
this patch test for null pointer in rtsock.c

system panics on rtsock.c for the reason that rt->rt_ifp->if_addr have a null pointer. 
It is not clear the reason rt->rt_ifp->if_addr have a null pointer but when 
try to access rt->rt_ifp->if_addr->ifa_addr near line 1578 of rtsock.c the system panics... 

I also insert code of RTSOCK_LOCK/RTSOCK_UNLOCK  on any ioctl call, and since than, the system does not panic any more..

A more study must be done where/why rt->rt_ifp->if_addr comes NULL,  and in that case the colunm Netif from the command: netstat -4rn  either shows "" (nothing)  or "---".  when this happens, the system panics some minutes later...