[Bug 197203] [VIMAGE] null pointer dereference causing kernel panic
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Jan 30 18:28:13 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197203
Bug ID: 197203
Summary: [VIMAGE] null pointer dereference causing kernel panic
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: lme at FreeBSD.org
I'm running 11.0-CURRENT #12 r277858M amd64 with "options VIMAGE" compiled into
the kernel.
network related stuff in rc.conf:
gateway_enable="YES"
cloned_interfaces="bridge0 bridge1 tap0 tap1"
autobridge_interfaces="bridge0"
autobridge_bridge0="tap*"
ifconfig_bridge0="inet 192.168.29.1/24"
ipv6_activate_all_interfaces="YES"
ip6addrctl_enable="YES"
ip6addrctl_policy="ipv4_prefer"
ipv6_privacy="YES"
rtsold_enable="YES"
wlans_iwn0="wlan0"
ifconfig_wlan0="WPA DHCP country DE"
ifconfig_em0="DHCP"
ifconfig_em0_ipv6="inet6 accept_rtadv"
The machine boots fine, and all interfaces come up. But when I run "service
netif restart" from a running system I get a kernel panic:
Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address = 0x28
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80ac49c7
stack pointer = 0x28:0xfffffe04431d67b0
frame pointer = 0x28:0xfffffe04431d6850
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 0 (thread taskq)
Uptime: 3h55m14s
Dumping 857 out of 16050 MB:..2%..12%..21%..32%..42%..51%..62%..71%..81%..92%
#0 doadump (textdump=Unhandled dwarf expression opcode 0x93
) at pcpu.h:219
219 pcpu.h: No such file or directory.
in pcpu.h
(kgdb) #0 doadump (textdump=Unhandled dwarf expression opcode 0x93
) at pcpu.h:219
#1 0xffffffff809c6c2f in kern_reboot (howto=260)
at /usr/src/sys/kern/kern_shutdown.c:448
#2 0xffffffff809c7170 in panic (fmt=<value optimized out>)
at /usr/src/sys/kern/kern_shutdown.c:747
#3 0xffffffff803589b7 in db_panic (addr=<value optimized out>,
have_addr=Unhandled dwarf expression opcode 0x93)
at /usr/src/sys/ddb/db_command.c:473
#4 0xffffffff803585cc in db_command (cmd_table=0x0)
at /usr/src/sys/ddb/db_command.c:440
#5 0xffffffff80358334 in db_command_loop ()
at /usr/src/sys/ddb/db_command.c:493
#6 0xffffffff8035aef0 in db_trap (type=<value optimized out>, code=Unhandled
dwarf expression opcode 0x93)
at /usr/src/sys/ddb/db_main.c:251
#7 0xffffffff80a0a40e in kdb_trap (type=Unhandled dwarf expression opcode
0x93) at /usr/src/sys/kern/subr_kdb.c:654
#8 0xffffffff80e3d259 in trap_fatal (frame=0xfffffe04431d6700,
eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:856
#9 0xffffffff80e3d5d1 in trap_pfault (frame=0xfffffe04431d6700,
usermode=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:678
#10 0xffffffff80e3cc0e in trap (frame=0xfffffe04431d6700)
at /usr/src/sys/amd64/amd64/trap.c:426
#11 0xffffffff80e1e602 in calltrap ()
at /usr/src/sys/amd64/amd64/exception.S:235
#12 0xffffffff80ac49c7 in rt_newmaddrmsg (cmd=Unhandled dwarf expression opcode
0x93)
at /usr/src/sys/net/rtsock.c:1366
#13 0xffffffff80aadf90 in if_addmulti (ifp=0xfffff800065cb000,
sa=<value optimized out>, retifma=<value optimized out>)
at /usr/src/sys/net/if.c:3159
#14 0xffffffff80aed63e in ieee80211_ioctl (ifp=<value optimized out>,
cmd=<value optimized out>, data=<value optimized out>)
at /usr/src/sys/net80211/ieee80211_ioctl.c:3325
#15 0xffffffff80b1f2df in in_leavegroup (inm=0xfffff80205445500,
imf=<value optimized out>) at /usr/src/sys/netinet/in_mcast.c:1291
#16 0xffffffff80b2351d in inp_gcmoptions (context=<value optimized out>,
pending=<value optimized out>) at /usr/src/sys/netinet/in_mcast.c:1603
#17 0xffffffff80a1b309 in taskqueue_run_locked (queue=0xfffff80006358b00)
at /usr/src/sys/kern/subr_taskqueue.c:431
#18 0xffffffff80a1c1c8 in taskqueue_thread_loop (arg=<value optimized out>)
at /usr/src/sys/kern/subr_taskqueue.c:695
#19 0xffffffff8098627a in fork_exit (
callout=0xffffffff80a1c100 <taskqueue_thread_loop>,
arg=0xffffffff8189fde0, frame=0xfffffe04431d6ac0)
at /usr/src/sys/kern/kern_fork.c:996
#20 0xffffffff80e1eb3e in fork_trampoline ()
at /usr/src/sys/amd64/amd64/exception.S:610
#21 0x0000000000000000 in ?? ()
Current language: auto; currently minimal
(kgdb)
(kgdb) frame 12
#12 0xffffffff80ac49c7 in rt_newmaddrmsg (cmd=Unhandled dwarf expression opcode
0x93
) at /usr/src/sys/net/rtsock.c:1366
1366 if (V_route_cb.any_count == 0)
(kgdb) p $rip
$1 = (void (*)()) 0xffffffff80ac49c7 <rt_newmaddrmsg+39>
(kgdb) disas *($rip)
Dump of assembler code for function rt_newmaddrmsg:
0xffffffff80ac49a0 <rt_newmaddrmsg+0>: push %rbp
0xffffffff80ac49a1 <rt_newmaddrmsg+1>: mov %rsp,%rbp
0xffffffff80ac49a4 <rt_newmaddrmsg+4>: push %r15
0xffffffff80ac49a6 <rt_newmaddrmsg+6>: push %r14
0xffffffff80ac49a8 <rt_newmaddrmsg+8>: push %rbx
0xffffffff80ac49a9 <rt_newmaddrmsg+9>: sub $0x78,%rsp
0xffffffff80ac49ad <rt_newmaddrmsg+13>: mov %rsi,%rbx
0xffffffff80ac49b0 <rt_newmaddrmsg+16>: mov %edi,%r14d
0xffffffff80ac49b3 <rt_newmaddrmsg+19>: mov 0x20(%rbx),%r15
0xffffffff80ac49b7 <rt_newmaddrmsg+23>: mov %gs:0x0,%rax
0xffffffff80ac49c0 <rt_newmaddrmsg+32>: mov 0x440(%rax),%rax
0xffffffff80ac49c7 <rt_newmaddrmsg+39>: mov 0x28(%rax),%rax
0xffffffff80ac49cb <rt_newmaddrmsg+43>: cmpl $0x0,-0x7e9fdc20(%rax)
0xffffffff80ac49d5 <rt_newmaddrmsg+53>: je 0xffffffff80ac4a52
<rt_newmaddrmsg+178>
0xffffffff80ac49d7 <rt_newmaddrmsg+55>: lea -0x88(%rbp),%rdi
0xffffffff80ac49de <rt_newmaddrmsg+62>: mov $0x70,%esi
0xffffffff80ac49e3 <rt_newmaddrmsg+67>: callq 0xffffffff80e3acb0 <bzero>
0xffffffff80ac49e8 <rt_newmaddrmsg+72>: mov 0x10(%rbx),%rax
0xffffffff80ac49ec <rt_newmaddrmsg+76>: mov %rax,-0x58(%rbp)
0xffffffff80ac49f0 <rt_newmaddrmsg+80>: xor %eax,%eax
0xffffffff80ac49f2 <rt_newmaddrmsg+82>: test %r15,%r15
0xffffffff80ac49f5 <rt_newmaddrmsg+85>: je 0xffffffff80ac4a01
<rt_newmaddrmsg+97>
0xffffffff80ac49f7 <rt_newmaddrmsg+87>: mov 0x1d8(%r15),%rax
0xffffffff80ac49fe <rt_newmaddrmsg+94>: mov (%rax),%rax
0xffffffff80ac4a01 <rt_newmaddrmsg+97>: mov %rax,-0x60(%rbp)
0xffffffff80ac4a05 <rt_newmaddrmsg+101>: mov 0x18(%rbx),%rax
0xffffffff80ac4a09 <rt_newmaddrmsg+105>: mov %rax,-0x78(%rbp)
0xffffffff80ac4a0d <rt_newmaddrmsg+109>: lea -0x88(%rbp),%rsi
0xffffffff80ac4a14 <rt_newmaddrmsg+116>: mov %r14d,%edi
0xffffffff80ac4a17 <rt_newmaddrmsg+119>: callq 0xffffffff80ac42e0
<rtsock_msg_mbuf>
0xffffffff80ac4a1c <rt_newmaddrmsg+124>: test %rax,%rax
0xffffffff80ac4a1f <rt_newmaddrmsg+127>: je 0xffffffff80ac4a52
<rt_newmaddrmsg+178>
0xffffffff80ac4a21 <rt_newmaddrmsg+129>: mov 0x10(%rax),%rcx
0xffffffff80ac4a25 <rt_newmaddrmsg+133>: mov 0x5c(%r15),%dx
0xffffffff80ac4a2a <rt_newmaddrmsg+138>: mov %dx,0xc(%rcx)
0xffffffff80ac4a2e <rt_newmaddrmsg+142>: mov -0x88(%rbp),%edx
0xffffffff80ac4a34 <rt_newmaddrmsg+148>: mov %edx,0x4(%rcx)
0xffffffff80ac4a37 <rt_newmaddrmsg+151>: mov 0x10(%rbx),%rcx
0xffffffff80ac4a3b <rt_newmaddrmsg+155>: test %rcx,%rcx
0xffffffff80ac4a3e <rt_newmaddrmsg+158>: je 0xffffffff80ac4a45
<rt_newmaddrmsg+165>
0xffffffff80ac4a40 <rt_newmaddrmsg+160>: mov 0x1(%rcx),%cl
0xffffffff80ac4a43 <rt_newmaddrmsg+163>: jmp 0xffffffff80ac4a47
<rt_newmaddrmsg+167>
0xffffffff80ac4a45 <rt_newmaddrmsg+165>: xor %ecx,%ecx
0xffffffff80ac4a47 <rt_newmaddrmsg+167>: movzbl %cl,%esi
---Type <return> to continue, or q <return> to quit---
0xffffffff80ac4a4a <rt_newmaddrmsg+170>: mov %rax,%rdi
0xffffffff80ac4a4d <rt_newmaddrmsg+173>: callq 0xffffffff80ac44a0
<rt_dispatch>
0xffffffff80ac4a52 <rt_newmaddrmsg+178>: add $0x78,%rsp
0xffffffff80ac4a56 <rt_newmaddrmsg+182>: pop %rbx
0xffffffff80ac4a57 <rt_newmaddrmsg+183>: pop %r14
0xffffffff80ac4a59 <rt_newmaddrmsg+185>: pop %r15
0xffffffff80ac4a5b <rt_newmaddrmsg+187>: pop %rbp
0xffffffff80ac4a5c <rt_newmaddrmsg+188>: retq
End of assembler dump.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list