[Bug 285813] Panic (NULL deref) in arptimer

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 285813] Panic (NULL deref) in arptimer"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 31 Mar 2025 17:41:07 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285813

            Bug ID: 285813
           Summary: Panic (NULL deref) in arptimer
           Product: Base System
           Version: 14.2-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: peter.blok@bsd4all.org

Unread portion of the kernel message buffer:

Fatal trap 12: page fault while in kernel mode
cpuid = 2; apic id = 04
fault virtual address   = 0x458
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff805e7410
stack pointer           = 0x28:0xfffffe00109d6cf0
frame pointer           = 0x28:0xfffffe00109d6d90
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 2 (clock (0))
rdi: fffff8001bc27d28 rsi: 0000000000000000 rdx: 0000000000000000
rcx: 0000000000000000  r8: ffffffff8063bd40  r9: 0000000000000004
rax: 0000000000000001 rbx: 0000000000000000 rbp: fffffe00109d6d90
r10: 0000000000000001 r11: fffff800014cd000 r12: fffff8001bc27d28
r13: fffff80001562740 r14: 0000000000000000 r15: fffffe00109d6d28
trap number             = 12
panic: page fault
cpuid = 2
time = 1743271861
KDB: stack backtrace:
#0 0xffffffff80639e1d at kdb_backtrace+0x5d
#1 0xffffffff805ec471 at vpanic+0x161
#2 0xffffffff805ec303 at panic+0x43
#3 0xffffffff809a61af at trap_pfault+0x3af
#4 0xffffffff8097ecd8 at calltrap+0x8
#5 0xffffffff80748432 at arptimer+0x252
#6 0xffffffff8060a249 at softclock_call_cc+0x129
#7 0xffffffff8060ba15 at softclock_thread+0xe5
#8 0xffffffff805a6a41 at fork_exit+0x81
#9 0xffffffff8097fd3e at fork_trampoline+0xe


Analysis
sys/kern/kern_rwlock.c:__rw_wlock_hard()
.....
        if (!(v & RW_LOCK_READ)) {
            rw_drop_critical(v, &in_critical, &extra_work);
            sleep_reason = WRITER;
            owner = lv_rw_wowner(v);
            if (!TD_IS_RUNNING(owner))
                goto ts;

Although RW_LOCK_READ is 0, RW_LOCK_READ is 1 after returning from
rw_drop_critical. This causes lv_rw_owner() to return NULL

Please let me know if more info is needed

-- 
You are receiving this mail because:
You are the assignee for the bug.