From nobody Fri May 14 15:42:23 2021
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 82C8083D584
	for <bugs@mlmmj.nyi.freebsd.org>; Fri, 14 May 2021 15:42:23 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4FhXpR3Ctvz4SMw
	for <bugs@FreeBSD.org>; Fri, 14 May 2021 15:42:23 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6209914F93
	for <bugs@FreeBSD.org>; Fri, 14 May 2021 15:42:23 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 14EFgNSU076734
	for <bugs@FreeBSD.org>; Fri, 14 May 2021 15:42:23 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 14EFgNCa076733
	for bugs@FreeBSD.org; Fri, 14 May 2021 15:42:23 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 255882] vxlan(4): kernel panic when unloading module if vxlan
 interface in VNET jails not shutdown before jail shutdown
Date: Fri, 14 May 2021 15:42:23 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 13.0-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: kumba@gentoo.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-255882-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: http://lists.freebsd.org/bugs
List-Help: <mailto:bugs+help@freebsd.org>
List-Post: <mailto:bugs@freebsd.org>
List-Subscribe: <mailto:bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:bugs+unsubscribe@freebsd.org>
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255882

            Bug ID: 255882
           Summary: vxlan(4): kernel panic when unloading module if vxlan
                    interface in VNET jails not shutdown before jail
                    shutdown
           Product: Base System
           Version: 13.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: kumba@gentoo.org

Found a corner case bug in the if_vxlan module where, if a VNET jail with an
active vxlan interface is shutdown before the interface is destroyed, and t=
he
if_vxlan module is then unloaded on the host, the kernel will panic.

Fatal trap 12: page fault while in kernel mode
cpuid =3D 0; apic id =3D 00
fault virtual address   =3D 0x30
fault code              =3D supervisor read data, page not present
instruction pointer     =3D 0x20:0xffffffff80d1bce3
stack pointer           =3D 0x28:0xfffffe00c7c2c880
frame pointer           =3D 0x28:0xfffffe00c7c2c8c0
code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                        =3D DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
current process         =3D 83973 (kldunload)
trap number             =3D 12
panic: page fault
cpuid =3D 0
time =3D 1621005409
KDB: stack backtrace:
#0 0xffffffff80c57345 at kdb_backtrace+0x65
#1 0xffffffff80c09d21 at vpanic+0x181
#2 0xffffffff80c09b93 at panic+0x43
#3 0xffffffff8108b187 at trap_fatal+0x387
#4 0xffffffff8108b1df at trap_pfault+0x4f
#5 0xffffffff8108a83d at trap+0x27d
#6 0xffffffff810617a8 at calltrap+0x8
#7 0xffffffff80d1ae6e at if_detach_internal+0xbe
#8 0xffffffff80d1abdb at if_detach+0x5b
#9 0xffffffff82923d53 at vxlan_clone_destroy+0x83
#10 0xffffffff80d21fa5 at if_clone_destroyif+0x1b5
#11 0xffffffff80d227b8 at if_clone_detach+0xb8
#12 0xffffffff829230b4 at vxlan_modevent+0xb4
#13 0xffffffff80be7058 at module_unload+0x38
#14 0xffffffff80bd8daa at linker_file_unload+0x1ea
#15 0xffffffff80bda0e0 at kern_kldunload+0xe0
#16 0xffffffff8108ba8c at amd64_syscall+0x10c
#17 0xffffffff810620ce at fast_syscall_common+0xf8
Uptime: 21m51s
Dumping 681 out of 7128 MB:..3%..12%..22%..31%..43%..52%..62%..71%..83%..92%

__curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
55      /usr/src/sys/amd64/include/pcpu_aux.h: No such file or directory.
(kgdb) #0  __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
#1  doadump (textdump=3D<optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:399
#2  0xffffffff80c09916 in kern_reboot (howto=3D260)
    at /usr/src/sys/kern/kern_shutdown.c:486
#3  0xffffffff80c09d90 in vpanic (fmt=3D<optimized out>, ap=3D<optimized ou=
t>)
    at /usr/src/sys/kern/kern_shutdown.c:919
#4  0xffffffff80c09b93 in panic (fmt=3D<unavailable>)
    at /usr/src/sys/kern/kern_shutdown.c:843
#5  0xffffffff8108b187 in trap_fatal (frame=3D0xfffffe00c7c2c7c0, eva=3D48)
    at /usr/src/sys/amd64/amd64/trap.c:915
#6  0xffffffff8108b1df in trap_pfault (frame=3Dframe@entry=3D0xfffffe00c7c2=
c7c0,=20
    usermode=3Dfalse, signo=3D<optimized out>, signo@entry=3D0x0,=20
    ucode=3D<optimized out>, ucode@entry=3D0x0)
    at /usr/src/sys/amd64/amd64/trap.c:732
#7  0xffffffff8108a83d in trap (frame=3D0xfffffe00c7c2c7c0)
    at /usr/src/sys/amd64/amd64/trap.c:398
#8  <signal handler called>
#9  0xffffffff80d1bce3 in _if_delgroup_locked (
    ifp=3Difp@entry=3D0xfffff8000e7d8000, ifgl=3Difgl@entry=3D0xfffff8012e5=
e2b20,=20
    groupname=3Dgroupname@entry=3D0xfffffe00c7c2c8e0 "all")
    at /usr/src/sys/net/if.c:1587
#10 0xffffffff80d1ae6e in if_delgroups (ifp=3D0xfffff8000e7d8000)
    at /usr/src/sys/net/if.c:1640
#11 if_detach_internal (ifp=3Difp@entry=3D0xfffff8000e7d8000,=20
    vmove=3Dvmove@entry=3D0, ifcp=3Difcp@entry=3D0x0) at /usr/src/sys/net/i=
f.c:1174
#12 0xffffffff80d1abdb in if_detach (ifp=3D0xfffff8000e7d8000, ifp@entry=3D=
0x0)
    at /usr/src/sys/net/if.c:1127
#13 0xffffffff80d2419a in ether_ifdetach (ifp=3Difp@entry=3D0xfffff8000e7d8=
000)
    at /usr/src/sys/net/if_ethersubr.c:1034
#14 0xffffffff82923d53 in vxlan_clone_destroy (ifp=3D0xfffff8000e7d8000)
    at /usr/src/sys/net/if_vxlan.c:3233
#15 0xffffffff80d21fa5 in ifc_simple_destroy (ifc=3D0xfffff80110143900,=20
    ifp=3D0xfffff8000e7d8000) at /usr/src/sys/net/if_clone.c:740
#16 if_clone_destroyif (ifc=3Difc@entry=3D0xfffff80110143900,=20
    ifp=3D0xfffff8000e7d8000) at /usr/src/sys/net/if_clone.c:335
#17 0xffffffff80d227b8 in if_clone_detach (ifc=3D0xfffff80110143900)
    at /usr/src/sys/net/if_clone.c:458
#18 0xffffffff829230b4 in vxlan_unload () at /usr/src/sys/net/if_vxlan.c:36=
06
#19 vxlan_modevent (mod=3D<optimized out>, type=3D<optimized out>,=20
    unused=3D<optimized out>) at /usr/src/sys/net/if_vxlan.c:3623
#20 0xffffffff80be7058 in module_unload (mod=3Dmod@entry=3D0xfffff8010ffef4=
00)
    at /usr/src/sys/kern/kern_module.c:261
#21 0xffffffff80bd8daa in linker_file_unload (
    file=3Dfile@entry=3D0xfffff801124c1000, flags=3Dflags@entry=3D0)
    at /usr/src/sys/kern/kern_linker.c:697
#22 0xffffffff80bda0e0 in kern_kldunload (td=3D<optimized out>,=20
    fileid=3D<optimized out>, flags=3D0) at /usr/src/sys/kern/kern_linker.c=
:1150
#23 0xffffffff8108ba8c in syscallenter (td=3D0xfffffe00c85fe700)
    at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:189
#24 amd64_syscall (td=3D0xfffffe00c85fe700, traced=3D0)
    at /usr/src/sys/amd64/amd64/trap.c:1156
#25 <signal handler called>
#26 0x00000008003803ea in ?? ()
Backtrace stopped: Cannot access memory at address 0x7fffffffd248
(kgdb)=20

Steps to reproduce:

1. Install FreeBSD
2. Create minimal /etc/jail.conf on host
3. Create two minimal VNET jails, 'j1' and 'j2'
4. Create a new epair interface set on host.
5. Assign epair0a to jail j1 and epair0b to jail j2 and start the jails
6. On the host, kldload if_vxlan
7. In each jail, assign a /31 point-to-point IP to the epair0x interfaces
8. In each jail, ping other jail to verify epair tunnel is up
9. In each jail, create a new vxlan interface:
   * vxlanid: any
   * vxlanlocal: j1 is epair0a IP, j2 is epair0b IP
   * vxlanremote: j1 is j2's epair0b IP, j2 is j1's epair0a IP
10. In each jail, assign new IPv4/IPv6 addresses to the vxlan interfaces
11. In each jail, ping the other jail across the vxlan tunnel to verify
connectivity.
12. On the host, shutdown both jails *without* shutting down the vxlan or e=
pair
interfaces
13. On the host, kldunload if_vxlan --> kernel panic

--=20
You are receiving this mail because:
You are the assignee for the bug.=