Actions
Bug #15684
open
Panic in ``tcp_m_copym`` with selective ACK enabled
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
2.7.2
Affected Architecture:
All
Description
In some situations pfSense panics with:
db:1:pfs> bt Tracing pid 2 tid 100112 td 0xfffff8000182f000 kdb_enter() at kdb_enter+0x33/frame 0xfffffe0084fe38f0 panic() at panic+0x43/frame 0xfffffe0084fe3950 trap_fatal() at trap_fatal+0x40f/frame 0xfffffe0084fe39b0 trap_pfault() at trap_pfault+0x4f/frame 0xfffffe0084fe3a10 calltrap() at calltrap+0x8/frame 0xfffffe0084fe3a10 --- trap 0xc, rip = 0xffffffff80f246e2, rsp = 0xfffffe0084fe3ae0, rbp = 0xfffffe0084fe3b70 --- tcp_m_copym() at tcp_m_copym+0x62/frame 0xfffffe0084fe3b70 tcp_default_output() at tcp_default_output+0x1294/frame 0xfffffe0084fe3d60 tcp_timer_rexmt() at tcp_timer_rexmt+0x53c/frame 0xfffffe0084fe3dc0 tcp_timer_enter() at tcp_timer_enter+0x101/frame 0xfffffe0084fe3e00 softclock_call_cc() at softclock_call_cc+0x12e/frame 0xfffffe0084fe3ec0 softclock_thread() at softclock_thread+0xe9/frame 0xfffffe0084fe3ef0 fork_exit() at fork_exit+0x7f/frame 0xfffffe0084fe3f30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0084fe3f30 --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
db:1:pfs> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0x28 rax 0x12 rcx 0xffffffff8141f825 rdx 0x3f8 rbx 0x100 rsp 0xfffffe0084fe37c8 rbp 0xfffffe0084fe38f0 rsi 0xa rdi 0xffffffff82d509d0 gdb_consdev r8 0 r9 0xfffffe0084fe3400 r10 0x64 r11 0 r12 0 r13 0 r14 0xffffffff8142fefb r15 0xfffff8000182f000 rip 0xffffffff80d3f4c3 kdb_enter+0x33 rflags 0x82 kdb_enter+0x33: movq $0,0x235af42(%rip)
db:1:pfs> show pcpu cpuid = 15 dynamic pcpu = 0xfffffe008f09ff40 curthread = 0xfffff8000182f000: pid 2 tid 100112 critnest 1 "clock (15)" curpcb = 0xfffff8000182f520 fpcurthread = none idlethread = 0xfffff80001798000: tid 100018 "idle: cpu15" self = 0xffffffff8401f000 curpmap = 0xffffffff8303e6b0 tssp = 0xffffffff8401f384 rsp0 = 0xfffffe0084fe4000 kcr3 = 0x800000007044b002 ucr3 = 0xffffffffffffffff scr3 = 0x13e07cc78 gs32p = 0xffffffff8401f404 ldt = 0xffffffff8401f444 tss = 0xffffffff8401f434 curvnet = 0xfffff800012791c0
Fatal trap 12: page fault while in kernel mode
cpuid = 15; apic id = 0f
fault virtual address = 0x1c
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80f246e2
stack pointer = 0x28:0xfffffe0084fe3ae0
frame pointer = 0x28:0xfffffe0084fe3b70
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 2 (clock (15))
rdi: 0000000000000000 rsi: 0000000000000000 rdx: fffffe0084fe3cf8
rcx: 0000000000000000 r8: 00000000000004f4 r9: 0000000000000000
rax: 0000000000000000 rbx: 0000000000000000 rbp: fffffe0084fe3b70
r10: 0000000000001388 r11: 00000000940e1ad0 r12: 0000000000000000
r13: 00000000000004f4 r14: fffff801fdab9000 r15: 0000000000000028
trap number = 12
panic: page fault
cpuid = 15
time = 1723446922
KDB: enter: panic
This appears to be something trying to access an mbuf after it has been freed. Likely by an interface or routing change.
Updated by 
Updated by 
Updated by 
Updated by 
Updated by
Actions