[Bug 235097] ci runs failing with panic in IPv6 code with use-after-free in epair/pfctl when running sys/netpfil/pf/nat tests

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Jan 21 03:57:03 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235097

            Bug ID: 235097
           Summary: ci runs failing with panic in IPv6 code with
                    use-after-free in epair/pfctl when running
                    sys/netpfil/pf/nat tests
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: tests
          Assignee: testing at freebsd.org
          Reporter: ngie at FreeBSD.org

>From https://ci.freebsd.org/job/FreeBSD-head-amd64-test/9853/console :

03:41:28 sys/netpfil/pf/fragmentation:too_many_fragments  ->  passed  [11.324s]
03:41:40 sys/netpfil/pf/fragmentation:v6  ->  passed  [0.215s]
03:41:40 sys/netpfil/pf/names:names  ->  passed  [0.165s]
03:41:40 sys/netpfil/pf/nat:exhaust  ->  lock order reversal:
03:41:43  1st 0xfffff8013181a490 filedesc structure (filedesc structure) @
/usr/src/sys/kern/sys_generic.c:1515
03:41:43  2nd 0xfffff80131b3e608 ufs (ufs) @ /usr/src/sys/kern/vfs_vnops.c:1513
03:41:43 stack backtrace:
03:41:43 #0 0xffffffff80c44c13 at witness_debugger+0x73
03:41:43 #1 0xffffffff80c44963 at witness_checkorder+0xac3
03:41:43 #2 0xffffffff80bb186d at lockmgr_xlock_hard+0x6d
03:41:43 #3 0xffffffff80bb2303 at __lockmgr_args+0x5f3
03:41:43 #4 0xffffffff80eeeaf5 at ffs_lock+0xa5
03:41:43 #5 0xffffffff81234703 at VOP_LOCK1_APV+0x63
03:41:43 #6 0xffffffff80cbfe25 at _vn_lock+0x65
03:41:43 #7 0xffffffff80cbec3a at vn_poll+0x3a
03:41:43 #8 0xffffffff80c4b06a at kern_poll+0x3ca
03:41:43 #9 0xffffffff80c4ac90 at sys_poll+0x50
03:41:43 #10 0xffffffff810abe96 at amd64_syscall+0x276
03:41:43 #11 0xffffffff81085f7d at fast_syscall_common+0x101
03:41:44 passed  [3.421s]
03:41:44 sys/netpfil/pf/pass_block:noalias  ->  Jan 21 03:41:45  kernel:
nd6_dad_timer: called with non-tentative address
fe80:3::5a:1bff:fe50:80b(epair3b)

03:41:46 Jan 21 03:41:46  kernel: nd6_dad_timer: called with non-tentative
address fe80:5::5a:1bff:fe50:80a(epair3a)

03:41:48 panic: Memory modified after free 0xfffffe003ee0c080(8) val=deadc0df @
0xfffffe003ee0c080
03:41:48 
03:41:48 cpuid = 1
03:41:48 time = 1548042108
03:41:48 KDB: stack backtrace:
03:41:48 db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame
0xfffffe003f2f4030
03:41:48 vpanic() at vpanic+0x1b4/frame 0xfffffe003f2f4090
03:41:48 panic() at panic+0x43/frame 0xfffffe003f2f40f0
03:41:48 trash_ctor() at trash_ctor+0x4c/frame 0xfffffe003f2f4100
03:41:48 uma_zalloc_arg() at uma_zalloc_arg+0x9ff/frame 0xfffffe003f2f4190
03:41:48 uma_zalloc_pcpu_arg() at uma_zalloc_pcpu_arg+0x23/frame
0xfffffe003f2f41c0
03:41:48 pfioctl() at pfioctl+0x419e/frame 0xfffffe003f2f46b0
03:41:48 devfs_ioctl() at devfs_ioctl+0xca/frame 0xfffffe003f2f4700
03:41:48 VOP_IOCTL_APV() at VOP_IOCTL_APV+0x63/frame 0xfffffe003f2f4720
03:41:48 vn_ioctl() at vn_ioctl+0x124/frame 0xfffffe003f2f4830
03:41:48 devfs_ioctl_f() at devfs_ioctl_f+0x1f/frame 0xfffffe003f2f4850
03:41:48 kern_ioctl() at kern_ioctl+0x29b/frame 0xfffffe003f2f48c0
03:41:48 sys_ioctl() at sys_ioctl+0x15d/frame 0xfffffe003f2f4990
03:41:48 amd64_syscall() at amd64_syscall+0x276/frame 0xfffffe003f2f4ab0
03:41:48 fast_syscall_common() at fast_syscall_common+0x101/frame
0xfffffe003f2f4ab0
03:41:48 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x8004b02fa, rsp =
0x7fffffffcc38, rbp = 0x7fffffffd860 ---
03:41:48 KDB: enter: panic
03:41:48 [ thread pid 81820 tid 100186 ]
03:41:48 Stopped at      kdb_enter+0x3b: movq    $0,kdb_why
03:41:48 db:0:kdb.enter.panic> show pcpu
03:41:48 cpuid        = 1
03:41:48 dynamic pcpu = 0xfffffe00801938c0
03:41:48 curthread    = 0xfffff801317f55a0: pid 81820 tid 100186 "pfctl"
03:41:48 curpcb       = 0xfffffe003f2f4b80
03:41:48 fpcurthread  = 0xfffff801317f55a0: pid 81820 "pfctl"
03:41:48 idlethread   = 0xfffff8000327b5a0: tid 100004 "idle: cpu1"
03:41:48 curpmap      = 0xfffff80028f45130
03:41:48 tssp         = 0xffffffff821cb208
03:41:48 commontssp   = 0xffffffff821cb208
03:41:48 rsp0         = 0xfffffe003f2f4b80
03:41:48 gs32p        = 0xffffffff821d1e40
03:41:48 ldt          = 0xffffffff821d1e80
03:41:48 tss          = 0xffffffff821d1e70
03:41:48 tlb gen      = 466083
03:41:48 curvnet      = 0xfffff800032e7a80
03:41:48 spin locks held:
03:41:48 db:0:kdb.enter.panic> alltrace
03:41:48 
03:41:48 Tracing command pfctl pid 81820 tid 100186 td 0xfffff801317f55a0 (CPU
1)
03:41:48 kdb_enter() at kdb_enter+0x3b/frame 0xfffffe003f2f4030
03:41:48 vpanic() at vpanic+0x1d1/frame 0xfffffe003f2f4090
03:41:48 panic() at panic+0x43/frame 0xfffffe003f2f40f0
03:41:48 trash_ctor() at trash_ctor+0x4c/frame 0xfffffe003f2f4100
03:41:48 uma_zalloc_arg() at uma_zalloc_arg+0x9ff/frame 0xfffffe003f2f4190
03:41:48 uma_zalloc_pcpu_arg() at uma_zalloc_pcpu_arg+0x23/frame
0xfffffe003f2f41c0
03:41:48 pfioctl() at pfioctl+0x419e/frame 0xfffffe003f2f46b0
03:41:48 devfs_ioctl() at devfs_ioctl+0xca/frame 0xfffffe003f2f4700
03:41:48 VOP_IOCTL_APV() at VOP_IOCTL_APV+0x63/frame 0xfffffe003f2f4720
03:41:49 vn_ioctl() at vn_ioctl+0x124/frame 0xfffffe003f2f4830
03:41:49 devfs_ioctl_f() at devfs_ioctl_f+0x1f/frame 0xfffffe003f2f4850
03:41:49 kern_ioctl() at kern_ioctl+0x29b/frame 0xfffffe003f2f48c0
03:41:49 sys_ioctl() at sys_ioctl+0x15d/frame 0xfffffe003f2f4990
03:41:49 amd64_syscall() at amd64_syscall+0x276/frame 0xfffffe003f2f4ab0
03:41:49 fast_syscall_common() at fast_syscall_common+0x101/frame
0xfffffe003f2f4ab0
03:41:49 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x8004b02fa, rsp =
0x7fffffffcc38, rbp = 0x7fffffffd860 ---

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-testing mailing list