[Bug 262663] panic in ipv6 jail ipv6 prison_ip_check() in6_pcblookup_hash_locked() - corrupt stack?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262663

            Bug ID: 262663
           Summary: panic in ipv6 jail ipv6 prison_ip_check()
                    in6_pcblookup_hash_locked() - corrupt stack?
           Product: Base System
           Version: CURRENT
          Hardware: arm64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: dch@freebsd.org

Created attachment 232571
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=232571&action=edit
savecore extracted

reboot after panic: Assertion mtx_owned(&pr->pr_mtx) ||
in_epoch(net_epoch_preempt) || sx_xlocked(&allprison_lock) failed at
/usr/src/sys/kern/kern_jail.c:874

tree: https://git.sr.ht/~dch/src/log/feature/boot-from-iscsi
last in-source commit: 8b1f5965d9a55a93517c4366f3e1f22166c1aff6
build: 14.0-CURRENT@8b1f5965d9a55a93517c4366f3e1f22166c1aff6 + 2 iscsi patches
arch: arm64 ampere altra (in kvm)

db> bt
Tracing pid 61353 tid 100314 td 0xffffa00022328600
db_trace_self() at db_trace_self
db_stack_trace() at db_stack_trace+0x11c
db_command() at db_command+0x368
db_command_loop() at db_command_loop+0x54
db_trap() at db_trap+0xf8
kdb_trap() at kdb_trap+0x1cc
handle_el1h_sync() at handle_el1h_sync+0x10
--- exception, esr 0xf2000000
kdb_enter() at kdb_enter+0x44
vpanic() at vpanic+0x1b0
panic() at panic+0x44
prison_ip_check() at prison_ip_check+0x13c
in6_pcblookup_hash_locked() at in6_pcblookup_hash_locked+0x3a0
in_pcb_lport_dest() at in_pcb_lport_dest+0x394
in6_pcbconnect_mbuf() at in6_pcbconnect_mbuf+0x380
tcp6_connect() at tcp6_connect+0x9c
tcp6_usr_connect() at tcp6_usr_connect+0x168
soconnectat() at soconnectat+0xd0
kern_connectat() at kern_connectat+0xd0
sys_connect() at sys_connect+0xb0
do_el0_sync() at do_el0_sync+0x524
handle_el0_sync() at handle_el0_sync+0x40
--- exception, esr 0x56000000

Dump header from device: /dev/gpt/swap0
  Architecture: aarch64
  Architecture Version: 1
  Dump Length: 1017606144
  Blocksize: 512
  Compression: none
  Dumptime: 2022-03-19 10:27:30 +0000
  Hostname: a01.cabal5.net
  Magic: FreeBSD Kernel Dump
  Version String: FreeBSD 14.0-CURRENT main-n253851-0cc463134c4 GENERIC
  Panic String: Assertion mtx_owned(&pr->pr_mtx) || in_epoch(net_epoch_preempt)
|| sx_xlocked(&allprison_lock) failed at /usr/src/sys/kern/kern_jail.c:874
  Dump Parity: 126362968
  Bounds: 1
  Dump Status: good

Unread portion of the kernel message buffer:
[2117] panic: Assertion mtx_owned(&pr->pr_mtx) || in_epoch(net_epoch_preempt)
|| sx_xlocked(&allprison_lock) failed at /usr/src/sys/kern/kern_jail.c:874
[2117] cpuid = 1
[2117] time = 1647685650
[2117] KDB: stack backtrace:
[2117] db_trace_self() at db_trace_self
[2117] db_trace_self_wrapper() at db_trace_self_wrapper+0x30
[2117] vpanic() at vpanic+0x174
[2117] panic() at panic+0x44
[2117] prison_ip_check() at prison_ip_check+0x13c
[2117] in6_pcblookup_hash_locked() at in6_pcblookup_hash_locked+0x3a0
[2117] in_pcb_lport_dest() at in_pcb_lport_dest+0x394
[2117] in6_pcbconnect_mbuf() at in6_pcbconnect_mbuf+0x380
[2117] tcp6_connect() at tcp6_connect+0x9c
[2117] tcp6_usr_connect() at tcp6_usr_connect+0x168
[2117] soconnectat() at soconnectat+0xd0
[2117] kern_connectat() at kern_connectat+0xd0
[2117] sys_connect() at sys_connect+0xb0
[2117] do_el0_sync() at do_el0_sync+0x524
[2117] handle_el0_sync() at handle_el0_sync+0x40
[2117] --- exception, esr 0x56000000
[2117] KDB: enter: panic

get_curthread () at /usr/src/sys/arm64/include/pcpu.h:75
75              __asm __volatile("ldr   %0, [x18]" : "=&r"(td));
(kgdb) #0  get_curthread () at /usr/src/sys/arm64/include/pcpu.h:75
#1  doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:406
#2  0xffff00000010780c in db_dump (dummy=<optimized out>, dummy2=false,
    dummy3=0, dummy4=0x0) at /usr/src/sys/ddb/db_command.c:575
#3  0xffff0000001076b8 in db_command (last_cmdp=<optimized out>,
    cmd_table=<optimized out>, dopager=dopager@entry=1)
    at /usr/src/sys/ddb/db_command.c:482
#4  0xffff000000107320 in db_command_loop ()
    at /usr/src/sys/ddb/db_command.c:535
#5  0xffff00000010aaac in db_trap (type=<optimized out>, code=<optimized out>)
    at /usr/src/sys/ddb/db_main.c:270
#6  0xffff0000004c2efc in kdb_trap (type=60, code=0, tf=0xffff0001575ec130)
    at /usr/src/sys/kern/subr_kdb.c:733
#7  <signal handler called>
#8  kdb_enter (why=0xffff0000008ffd26 "panic", msg=<optimized out>)
    at /usr/src/sys/kern/subr_kdb.c:506
#9  0xffff0000004772cc in vpanic (
    fmt=0xffff000000879e36 "Assertion %s failed at %s:%d", ap=...)
    at /usr/src/sys/kern/kern_shutdown.c:953
#10 0xffff000000477058 in panic (
    fmt=0x12 <error: Cannot access memory at address 0x12>)
    at /usr/src/sys/kern/kern_shutdown.c:889
#11 0xffff000000434db4 in prison_ip_check (pr=0xffffa001f7208000,
    af=PR_INET6, addr=0xffff0001575ec568) at /usr/src/sys/kern/kern_jail.c:872
#12 0xffff000000633240 in prison_check_ip6_locked (pr=0x12,
    ia6=0xffff0000008dedb6, ia6@entry=0xffff0001575ec568)
    at /usr/src/sys/netinet6/in6_jail.c:302
#13 0xffff0000006390c0 in in6_pcblookup_hash_locked (pcbinfo=<optimized out>,
    pcbinfo@entry=0xffff000043167748, faddr=<optimized out>,
    fport_arg=fport_arg@entry=40975, laddr=0xffff0001575ec568,
    lport_arg=lport_arg@entry=53511, lookupflags=<optimized out>,
    lookupflags@entry=1, ifp=<optimized out>,
    numa_domain=numa_domain@entry=255 '\377')
    at /usr/src/sys/netinet6/in6_pcb.c:1081
#14 0xffff0000005e2c98 in in_pcb_lport_dest (
    inp=inp@entry=0xffffa00047de39f0, lsa=lsa@entry=0xffff0001575ec560,
    lportp=lportp@entry=0xffffa00047de3a9e, fsa=fsa@entry=0xffffa0001f910be0,
    fport=<optimized out>, cred=cred@entry=0xffffa00020be2500,
    lookupflags=lookupflags@entry=1) at /usr/src/sys/netinet/in_pcb.c:830
#15 0xffff000000638cfc in in6_pcbconnect_mbuf (
    inp=inp@entry=0xffffa00047de39f0, nam=nam@entry=0xffffa0001f910be0,
    cred=0xffffa00020be2500, m=<optimized out>, rehash=false)
    at /usr/src/sys/netinet6/in6_pcb.c:502
#16 0xffff0000006391dc in in6_pcbconnect (inp=0x12,
    inp@entry=0xffffa00047de39f0, nam=0x80, nam@entry=0xffffa0001f910be0,
    cred=0xffff0000008dedb6) at /usr/src/sys/netinet6/in6_pcb.c:532
#17 0xffff00000061d2e0 in tcp6_connect (tp=tp@entry=0xffff00015da028a0,
    nam=nam@entry=0xffffa0001f910be0, td=td@entry=0xffffa00022328600)
    at /usr/src/sys/netinet/tcp_usrreq.c:1617
#18 0xffff00000061acf0 in tcp6_usr_connect (so=0xffff00015c6d8200,
    nam=0xffffa0001f910be0, td=0xffffa00022328600)
    at /usr/src/sys/netinet/tcp_usrreq.c:710
#19 0xffff00000051d8e0 in soconnectat (fd=fd@entry=-100,
    so=so@entry=0xffff00015c6d8200, nam=nam@entry=0xffffa0001f910be0,
    td=td@entry=0xffffa00022328600) at /usr/src/sys/kern/uipc_socket.c:1399
#20 0xffff0000005248a8 in kern_connectat (td=td@entry=0xffffa00022328600,
    dirfd=-100, fd=<optimized out>, sa=sa@entry=0xffffa0001f910be0)
    at /usr/src/sys/kern/uipc_syscalls.c:510
#21 0xffff0000005247b8 in sys_connect (td=0xffffa00022328600,
    uap=0xffffa000223289f0) at /usr/src/sys/kern/uipc_syscalls.c:472
#22 0xffff000000788dac in syscallenter (td=0xffffa00022328600)
    at /usr/src/sys/arm64/arm64/../../kern/subr_syscall.c:189
#23 svc_handler (td=0xffffa00022328600, frame=<optimized out>)
    at /usr/src/sys/arm64/arm64/trap.c:199
#24 do_el0_sync (td=0xffffa00022328600, frame=<optimized out>)
    at /usr/src/sys/arm64/arm64/trap.c:560
#25 <signal handler called>
#26 0x00000000860f91bc in ?? ()
#27 0x00000000831acf8c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(kgdb)

-- 
You are receiving this mail because:
You are the assignee for the bug.