Re: OpenBSD 5.0 sl(4) crash

[Piotr Durlej]

Piotr Durlej wrote:
Hi,
I just want to make sure this hasn't gone unnoticed:

http://marc.info/?l=openbsd-bugs&m=131179618801709&w=2
http://marc.info/?l=openbsd-bugs&m=131180575015325&w=2

I was able to reproduce this bug on OpenBSD 5.0.

# cat /etc/rc.conf.local
ntpd_flags= # enabled during install
pf=NO
# cat /etc/hostname.sl0
inet 192.168.253.1 255.255.255.255 192.168.253.2
!/sbin/slattach -s 115200 cua00
!/sbin/route -q add -host 192.168.254.2 192.168.253.2
#

A flood ping should be sufficient to reproduce the bug in a few seconds:

# ping -f 192.168.253.2

And here a the dmesg with ddb trace and ps output:

ddb>
OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA Nehemiah ("CentaurHauls" 686-class) 1.01 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE
real mem = 125300736 (119MB)
avail mem = 113270784 (108MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/02/05, BIOS32 rev. 0 @ 0xfb390,
SMBIOS rev. 2.2 @ 0xf0800 (37 entries)
bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 11/02/2005
bios0: Neoware Systems Inc. Thin Client
apm0 at bios0: Power Management spec V1.2 (slowidle)
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdf84
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdef0/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 5 11 12 15
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xf400
cpu0 at mainbus0: (uniprocessor)
cpu0: RNG AES
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8623 PCI" rev 0x00
viaagp0 at pchb0: v2
agp0 at viaagp0: aperture at 0xee000000, size 0xe800000
ppb0 at pci0 dev 1 function 0 "VIA VT8633 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "VIA CLE266" rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x80: irq 15
uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x80: irq 5
uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x80: irq 11
ehci0 at pci0 dev 16 function 3 "VIA VT6202 USB" rev 0x82: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "VIA EHCI root hub" rev 2.00/1.00 addr 1
viapm0 at pci0 dev 17 function 0 "VIA VT8235 ISA" rev 0x00: SMI
iic0 at viapm0
spdmem0 at iic0 addr 0x50: 128MB DDR SDRAM non-parity PC2700CL2.5
viapm0: 24-bit timer at 3579545Hz
pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: <WDC WD600UE-22KVT0>
wd0: 16-sector PIO, LBA48, 57231MB, 117210240 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 ignored (disabled)
auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x50: irq 11
ac97: codec id 0x56494161 (VIA Technologies VT1612A)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D
audio0 at auvia0
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x74: irq 15, address
00:e0:c5:52:83:dd
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 10: OUI
0x004063, model 0x0032
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "VIA UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "VIA UHCI root hub" rev 1.00/1.00 addr 1
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: W83697HF rev 0x12
lm1 at wbsio0 port 0x290/8: W83697HF
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a (2c3f191a6a9dac90.a) swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
panic: mtx_enter: locking against myself
Stopped at Debugger+0x4: popl %ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> Debugger(d08cee78,d4d759cc,d02030b4,d4d759cc,0) at Debugger+0x4
panic(d02030b4,d4d759ec,d03ecdf3,d0a23a20,d4593000) at panic+0x5d
mtx_enter(d0a23a20,d4593000,d4d75a0c,d4d759ec,d2eb3b00) at mtx_enter+0x60
pool_put(d0a23a20,d4d3a800,10,d03f3012,d0f1e894) at pool_put+0x33
m_extfree(d2eb3b00,1,d4d75a4c,d0401080,80) at m_extfree+0x80
m_free_unlocked(d2eb3b00,d4d3a93d,80,d4d3a93e,d4d3a93e) at
m_free_unlocked+0x30
m_free(d2eb3b00,1,d0f1e848,d4d3d550,42) at m_free+0x25
slstart(d0f1e800,3f8,6,d4d3d4b4,42) at slstart+0x23e
comintr(d0ee4000) at comintr+0x13d
Xrecurse_legacy4() at Xrecurse_legacy4+0xb7
--- interrupt ---
pool_do_get(d0a23a20,2,d4d75cd4,d04025a3,60) at pool_do_get+0x271
pool_get(d0a23a20,2,352d2df4,d4d75cf4,d0203189) at pool_get+0x3d
m_clget(0,2,d0edc034,800,d4d6b008) at m_clget+0x82
vr_alloc_mbuf(d0edc000,d0edc768,60,136,d0edc6f0) at vr_alloc_mbuf+0x41
vr_fill_rx_ring(d0edc000,d0ebb380,0,c00,a) at vr_fill_rx_ring+0x51
vr_rxeof(d0edc000,e400,c,1,d0ebb3c0) at vr_rxeof+0xb5
vr_intr(d0edc000) at vr_intr+0x124
Xrecurse_legacy15() at Xrecurse_legacy15+0xbb
--- interrupt ---
uvm_fault(d4d6e0b8,7ef0c000,0,3,cfbe7058) at uvm_fault+0x675
trap() at trap+0x3f6
--- trap (number 2129707008) ---
0x6:
ddb> Debugger(d08cee78,d4d759cc,d02030b4,d4d759cc,0) at Debugger+0x4
ddb> PID PPID PGRP UID S FLAGS WAIT COMMAND
*15365 28343 29104 0 7 0 less
28343 18534 28343 0 3 0x88 paus\M-e ksh
18534 27774 18534 0 3 0x80 select sshd
4777 1 4777 0 3 0x80 ttyin getty
31515 1 31515 0 3 0x80 ttyin getty
10226 1 10226 0 3 0x80 ttyin getty
14119 1 14119 0 3 0x80 ttyin getty
19584 1 19584 0 3 0x80 ttyin getty
14533 1 14533 0 3 0x80 select cron
16119 1 16119 0 3 0x80 select ripd
7300 1 7300 0 3 0x80 select zebra
24854 1 24854 0 3 0x80 select inetd
17538 1 17538 0 3 0x80 select sendmail
27774 1 27774 0 3 0x80 select sshd
1423 4699 23023 83 3 0x80 poll ntpd
4699 23023 23023 83 3 0x80 poll ntpd
23023 1 23023 0 3 0x80 poll ntpd
4822 26438 26438 73 3 0x80 poll syslogd
26438 1 26438 0 3 0x80 netio syslogd
14707 1 14707 77 3 0x80 poll dhclient
8403 1 20766 0 3 0x80 poll dhclient
2377 1 20766 0 3 0x88 pause slattach
14 0 0 0 3 0x100200 aiodoned aiodoned
13 0 0 0` 3 0x100200 syncer update
12 0 0 0 3 0x100200 cleaner cleaner
11 0 0 0 3 0x100200 reaper reaper
10 0 0 0 3 0x100200 pgdaemon pagedaemon
9 0 0 0 3 0x100200 bored crypto
8 0 0 0 3 0x100200 pftm pfpurge
7 0 0 0 3 0x100200 usbtsk usbtask
6 0 0 0 3 0x100200 usbatsk usbatsk
5 0 0 0 3 0x100200 apmev apm0
4 0 0 0 3 0x100200 bored syswq
3 0 0 0 3 0x40100200 idle0
2 0 0 0 3 0x100200 kmalloc kmthread
1 0 1 0 3 0x80 wait init
0 -1 0 0 3 0x200 scheduler swapper
ddb> panic: mtx_enter: locking against myself
Stopped at Debugger+0x4: popl %ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> syncing disks... splassert: assertwaitok: want -1 have 2
panic: assertwaitok: non-zero mutex count: 1
Stopped at Debugger+0x4: popl %ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> panic: mtx_enter: locking against myself
Stopped at Debugger+0x4: popl %ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> panic: mtx_enter: locking against myself
Stopped at Debugger+0x4: popl %ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb>


Same crash on OpenBSD 5.1/i386 with kernel ppp(4):

Script started on Sat Jun  2 07:23:20 2012
neo10# tip -115200 tty01
connected

mtx_enter: locking against myself
ddb> trace
Debugger(d08d7698,d8c8aa5c,d020307c,d8c8aa5c,2) at Debugger+0x4
panic(d020307c,d8c8aa8c,d03f1641,d0a2dc40,200203) at panic+0x5d
mtx_enter(d0a2dc40,200203,d8f56084,d12ac800,0) at mtx_enter+0x60
pool_get(d0a2dc40,2,d8c8abdc,0,d12acc50) at pool_get+0x31
m_gethdr(2,1,d8c8aadc,d0445b71,d0a527e8) at m_gethdr+0x3c
pppgetm(d12ac800,d8f56000,0,d1116000,d11160b4) at pppgetm+0x86
pppinput(7e,d125fa00,80,0,d1116054) at pppinput+0x5a9
comsoft(d1116000,d0a527f8,d1113800,60,d020204e) at comsoft+0x14a
softintr_dispatch(2) at softintr_dispatch+0x4f
Xsofttty() at Xsofttty+0x12
--- interrupt ---
pool_do_get(d0a2dc40,2,0,0,0) at pool_do_get+0xb3
pool_get(d0a2dc40,2,d8c8acfc,0,0) at pool_get+0x3d
m_get(2,1,d8c8acfc,d8c8ad44,d04a3e2c) at m_get+0x3c
ieee80211_ccmp_decrypt(d1106030,d5458100,d114e174,d057160b,d0a52760) at 
ieee802
11_ccmp_decrypt+0x128
ieee80211_input(d1106030,d5458100,d114e000,d8c8add4,0) at 
ieee80211_input+0x9de

rt2560_decryption_intr(d1106000,d8bae000,1c,80,d10ffdc0) at 
rt2560_decryption_i
ntr+0x406
rt2560_intr(d1106000) at rt2560_intr+0x10b
Xrecurse_legacy9() at Xrecurse_legacy9+0xbb
--db_more--           --- interrupt ---
--db_more--           cpu_idle_cycle(d0ae19a0) at 
cpu_idle_cycle+0xf
Bad frame pointer: 0xd0b97e28
ddb> show panic
mtx_enter: locking against myself
ddb> ps
   PID   PPID   PGRP    UID  S       FLAGS  WAIT          COMMAND
[...]
*    3      0      0      0  7  0x40100200                idle0
[...]
ddb>   bopp  ot sync
panic: mtx_enter: locking against myself
Stopped at      Debugger+0x4:   popl    %ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> boot reboot
panic: mtx_enter: locking against myself
Stopped at      Debugger+0x4:   popl    %ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> boot dump
panic: mtx_enter: locking against myself
Stopped at      Debugger+0x4:   popl    %ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> >> OpenBSD/i386 BOOT 3.17
boot>
booting hd0a:bsd-GENERIC: 
\|/-\8234844|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|!
/-\|/
-\|/-\|/-\|/-\|/-\|/-\|/-+1088904\ 
[61+369312|/-\|/-\|/-\|/-\|/-\|/-+354970\|/-\|/-\|/-\|/-\|/-\]=0x9953fc
entry point at 0x200120

[ using 724760 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
        The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2012 OpenBSD. All rights reserved. 
http://www.OpenBSD.org

OpenBSD 5.1 (GENERIC) #160: Sun Feb 12 09:46:33 MST 2012
    dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 
586-class) 499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem  = 267976704 (255MB)
avail mem = 253497344 (241MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe0000/0xa800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, 
address 00:0d:b9:xx:xx:xx
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x004063, model 0x0034
vr1 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, 
address 00:0d:b9:xx:xx:xx
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x004063, model 0x0034
ral0 at pci0 dev 12 function 0 "Ralink RT2560" rev 0x01: irq 9, address 
00:11:09:xx:xx:xx
ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525
glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 
32-bit 3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <ULTIMATE CF CARD 16GB>
wd0: 1-sector PIO, LBA, 15247MB, 31227840 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, 
version 1.0, legacy support
ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
umass0 at uhub0 port 2 configuration 1 interface 0 "Kingston 
DataTraveler 2.0" rev 2.00/1.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0: <Kingston, DataTraveler 2.0, 1.00> SCSI0 
0/direct removable serial.xxxxxxxxxxxxxxxxxxxx
sd0: 120MB, 512 bytes/sector, 246272 sectors
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
softraid0: sd1 was not shutdown properly
sd1 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 005> SCSI2 0/direct fixed
sd1: 14926MB, 512 bytes/sector, 30568624 sectors
root on sd1a (0a101ff0bafd1036.a) swap on sd1b dump on sd1b
WARNING: / was not properly unmounted
clock: unknown CMOS layout
Automatic boot in progress: starting file system checks.
[...]

OpenBSD/i386 (silver.durlej.net) (tty00)

login: