[Bug 211031] [panic] in ng_uncallout when argument is NULL

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jul 12 10:31:09 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211031

            Bug ID: 211031
           Summary: [panic] in ng_uncallout when argument is NULL
           Product: Base System
           Version: 11.0-BETA1
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: mizhka at gmail.com

Created attachment 172406
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=172406&action=edit
panic backtrace

Hi,

I faced panic error with 11-ALPHA6 and 12-CURRENT when I unplug ethernet cable
with active PPTP VPN connection. 

uname -a:
FreeBSD gidrarium 12.0-CURRENT FreeBSD 12.0-CURRENT #1: Sat Jul  9 17:28:38 MSK
2016    
jenkins at gidrarium:/builds/FreeBSD-src-head/obj/builds/FreeBSD-src-head/sys/GENERIC
 amd64

Test case:
 - use wired ethernet connection
 - establish PPTP connection using mpd5
 - unplug ethernet cable (=> panic)

db> bt
Tracing pid 902 tid 100675 td 0xfffff800169a1000 
ng_uncallout() at ng_uncallout+0x3d/frame 0xfffffe04530b3580
ng_pptpgre_disconnect() at ng_pptpgre_disconnect+0xbb/frame 0xfffff*
ng_destroy_hook() at ng_destroy_hook+0xlfe/frame 8xfffffe84538b35d8 
ng_ranode() at ng_ranode+0x75/frame 0xfffffe04538b3618 
ng_apply_item() at ng_apply_itea+0x4ca/frame 0xfffffeB4538b36a8 
ng_snd_item() at ng_snd_itea+0x3a9/frame 0xfffffeB4538b36e0 
ngc_send() at ngc_send+0x21b/frame 0xfffffe04530b3790 
sosend_generic() at sosend_generic+0x436/frame 0xfffffe04538b3850 
kern_sendit() at kern_sendit+0x21b/frame Bxfffffe04538b390B 
sendit() at sendit+0x19f/frame 0xfffffeB4530b3950 
sys_sendto() at sys_sendto+0x4d/frame 0xfffffe04530b39a0 
amd64_syscall() at amd64_syscall+0x2db/frame 0xfffffe04530b3ab0 
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffeB4530b3abB 
--- syscall (133, FreeBSD ELF64, sys_sendto), rip = 0x80253906a, rsp -
0x7fffdfffd72B, rbp - 0x7fffdfffd770 

Panic happens due to missing check if item (c->c_arg) is NULL in ng_uncallout:

        item = c->c_arg;
        /* Do an extra check */
        if ((rval > 0) && (c->c_func == &ng_callout_trampoline) &&
            (NGI_NODE(item) == node)) {

I suppose that actual root cause may be in upper stack.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list