From nobody Fri Dec 19 18:48:42 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dXxQ50JJ4z6MF4r; Fri, 19 Dec 2025 18:48:45 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dXxQ46TrXz4G79; Fri, 19 Dec 2025 18:48:44 +0000 (UTC) (envelope-from dim@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1766170124; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9S3kYE8Vu2ZHsxhR2fHgWP0lyfOH5wY3kPmj0FcyfGg=; b=EmqyjW3tgQtqOCz4LmB+GKo8SdWMr6hJfxQRkg1Sze9bg5wCApAxUzI7YRJo/0HlLGEqoG w3KUOkJat516XxGsbZV5ib0vDbzdXgL1LuZjawRq0CIr9vi8y9uk9vX9r4IuLsXqeW56Sj UQpc7TmaFWMHtEihodGUnPWVjBI1LrLWjWOtsBe6FwpKfL7JXY57wCiTDY44T+t/sHmeOR 9yx8k0/ooyWH4xof4/9MWAPFoyN18lXjk+W7ITw/tcuCjhHOEeDMVASIVeLoXfLJi0TwpF 7AUswInE6QKUUtEj8POMpg6hzjHHw4g19cKfZX/mnYmVja9Ip41jgbuk8PGWkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1766170124; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9S3kYE8Vu2ZHsxhR2fHgWP0lyfOH5wY3kPmj0FcyfGg=; b=TD8IS/8iWaNwGKY5F8yEAfa4onlEselvXa8VJ9Lr6tvFzjsRthizJAatt7rz/VTmVwHRwY no7dgnccKRpmrpr1akNeTggBV7rflgUS0XsHDUYky9aMiXSoLjnr+2ej6f7DTe5gE8MKxi l/P9Rsit0TZPdkHvVTPlEyZArIxzTnh1+zqyLWFE+7GbAaLxSdVa1sugrY6SxePvMknhyI rkFsNWHdiEzmZfQKMwqddsS+5XwCJipzKoFGtyOp9wkIu1CPRQtEEKao6XOdLfkg3hNxTc KVQrq5QL4xuh+6TnQWboFEZ+CKqh6PdNXplRmfmzGnKSV6OYZ3+swt2EooZDFw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1766170124; a=rsa-sha256; cv=none; b=sXKGaGx/3LbGmCQugxqXbrqmjzGwclIP4FF8nwwzhk0KssNMbxBmvU+JVmoyNlbJfXBQta V7oM5k/Zy/bLpsIBNTdoJOZxZfgHHlhn/tuQXpJUUWVpnnzEToWGoq+xXXSSWYQGcnaMFx TdCfmm24MWRvaTGaIWE0idovbX8wIyDiy6xkeTerKZYqPo83YPdE2CdI2RRFV1ZmV/ym64 2HhYJFrw7+QMja2MsYe/Rm6x6959OquTjojgfkivmvtDYzA6ImuBIGfYqQODilWwao4zJk c4X7vlWQHm01QyW4vBjDc0+8WMv+mnB+lLqX73LEu0zFs+RSiPf8fJ+NI/K8yg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from tensor.andric.com (tensor.andric.com [87.251.56.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "tensor.andric.com", Issuer "E7" (verified OK)) (Authenticated sender: dim) by smtp.freebsd.org (Postfix) with ESMTPSA id 4dXxQ44dMhzqWK; Fri, 19 Dec 2025 18:48:44 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from smtpclient.apple (bladnoch.home.andric.com [192.168.0.20]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id C79D141559; Fri, 19 Dec 2025 19:48:42 +0100 (CET) Content-Type: text/plain; charset=utf-8 List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81.1.4\)) Subject: Re: git: 0d469d23715d - main - net: attach IPv4 and IPv6 stacks to an interface with EVENTHANDLER(9) From: Dimitry Andric In-Reply-To: Date: Fri, 19 Dec 2025 19:48:42 +0100 Cc: Kristof Provost , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <40C4BA5F-1207-47FF-BF37-A2F4F0BE0AB1@FreeBSD.org> References: <694452f3.32deb.4d0ab2a7@gitrepo.freebsd.org> <4A394DAA-1FCE-440A-8E92-88BD9B4EE087@FreeBSD.org> To: Gleb Smirnoff X-Mailer: Apple Mail (2.3826.700.81.1.4) On 19 Dec 2025, at 19:42, Gleb Smirnoff wrote: >=20 > On Fri, Dec 19, 2025 at 12:10:09PM +0100, Kristof Provost wrote: > K> I=E2=80=99m seeing panics on pfsync interface destruction now: > K>=20 > K> panic: mld_change_state: bad ifp > K> cpuid =3D 19 > K> time =3D 1766142554 > K> KDB: stack backtrace: > K> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame > K> 0xfffffe01843fd990 > K> vpanic() at vpanic+0x136/frame 0xfffffe01843fdac0 > K> panic() at panic+0x43/frame 0xfffffe01843fdb20 > K> mld_change_state() at mld_change_state+0x6d0/frame = 0xfffffe01843fdb90 > K> in6_leavegroup_locked() at in6_leavegroup_locked+0xa9/frame > K> 0xfffffe01843fdbf0 > K> in6_leavegroup() at in6_leavegroup+0x32/frame 0xfffffe01843fdc10 > K> pfsync_multicast_cleanup() at pfsync_multicast_cleanup+0x83/frame > K> 0xfffffe01843fdc40 > K> pfsync_clone_destroy() at pfsync_clone_destroy+0x260/frame > K> 0xfffffe01843fdc90 > K> ifc_simple_destroy_wrapper() at = ifc_simple_destroy_wrapper+0x26/frame > K> 0xfffffe01843fdca0 > K> if_clone_destroyif_flags() at if_clone_destroyif_flags+0x69/frame > K> 0xfffffe01843fdce0 > K> if_clone_detach() at if_clone_detach+0xe6/frame 0xfffffe01843fdd10 > K> vnet_pfsync_uninit() at vnet_pfsync_uninit+0xf0/frame = 0xfffffe01843fdd30 > K> vnet_destroy() at vnet_destroy+0x154/frame 0xfffffe01843fdd60 > K> prison_deref() at prison_deref+0xaf5/frame 0xfffffe01843fddd0 > K> sys_jail_remove() at sys_jail_remove+0x15c/frame 0xfffffe01843fde00 > K> amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01843fdf30 > K> fast_syscall_common() at fast_syscall_common+0xf8/frame = 0xfffffe01843fdf30 > K> --- syscall (508, FreeBSD ELF64, jail_remove), rip =3D = 0x2d8234c9e31a, rsp =3D > K> 0x2d823179b928, rbp =3D 0x2d823179b9b0 --- > K> KDB: enter: panic > K>=20 > K> The pfsync:basic_ipv6 seems to trigger this reliably. >=20 > This actually surfaced an interesting problem, and pfsync being an = interface > isn't a culprit here :) Neither my changes are. >=20 > The problem is that IPv6 multicast layer in in6_getmulti() will call = into > interface multicast layer with if_addmulti() to allocate struct = ifmultiaddr. > This new born ifmultiaddr will have refcount of 1, but it will be = referenced > both by the struct in6_multi and the interface linked list. It should = have > refcount of 2. For all normal cases the in6_multi structs are also = somehow > associated with the interface they were allocated for and at teardown = sequence > they will go away all together, so this refcounting bug never = triggers. >=20 > But with pfsync calling in6_joingroup() on some ifnet from its own = pfsync's > context we come into a situation when the struct in6_multi is external = to the > ifnet it is associated with. If this ifnet is detached before pfsync = context > is destroyed, then our in6_multi will point at a detached ifnet that = is hanging > on the last reference (all methods point to if_dead) and this = in6_multi will > also point at freed ifmultiaddr. >=20 > I'm looking at either a proper fix or at hiding it back under carper = as it was > before. What I'm seeing with main-n282652-4100bd6caa66 is this: panic: bpf_ifnet_write: ifp 0xfffff8002d492800 type 209 not supported ... (kgdb) #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57 td =3D #1 doadump (textdump=3Dtextdump@entry=3D0) at /usr/src/sys/kern/kern_shutdown.c:399 error =3D 0 coredump =3D ... #10 0xffffffff80b9776b in vpanic ( fmt=3D0xffffffff811e552a "%s: ifp %p type %u not supported", ap=3Dap@entry=3D0xfffffe00d75f9c00) at = /usr/src/sys/kern/kern_shutdown.c:962 buf =3D "bpf_ifnet_write: ifp 0xfffff8002d492800 type 209 not = supported", '\000' __pc =3D 0x0 __pc =3D 0x0 __pc =3D 0x0 other_cpus =3D {__bits =3D {65534, 0 }} td =3D 0xfffff8000d8c7780 bootopt =3D newpanic =3D #11 0xffffffff80b975d3 in panic ( fmt=3D0xffffffff81d9fa50 = "\256`\035\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:887 ap =3D {{gp_offset =3D 32, fp_offset =3D 48, overflow_arg_area =3D 0xfffffe00d75f9c30, reg_save_area =3D 0xfffffe00d75f9bd0}} #12 0xffffffff80cd600f in bpf_ifnet_write (arg=3D0xfffff8002d492800, m=3D0xfffff80033020900, mc=3D0x0, flags=3D32) at = /usr/src/sys/net/bpf_ifnet.c:141 ro =3D {ro_nh =3D 0x0, ro_lle =3D 0x0, ro_prepend =3D 0x0, = ro_plen =3D 0, ro_flags =3D 0, ro_mtu =3D 0, spare =3D 0, ro_dst =3D {sa_len = =3D 0 '\000', sa_family =3D 0 '\000', sa_data =3D '\000' }} dst =3D {sa_len =3D 0 '\000', sa_family =3D 0 '\000', sa_data =3D '\000' } hlen =3D 0 saved_vnet =3D error =3D ifp =3D #13 0xffffffff80cd2030 in bpfwrite (dev=3D, = uio=3D, ioflag=3D) at /usr/src/sys/net/bpf.c:1052 et =3D {et_link =3D {tqe_next =3D 0x0, tqe_prev =3D = 0xfffffe00167c2ad8}, et_td =3D 0xfffff8000d8c7780, et_section =3D {bucket =3D 1}, et_old_priority =3D 144 '\220'} d =3D 0xfffff8000eec8a00 error =3D bp =3D 0xfffff80001aa3d00 m =3D 0xfffff80033020900 mc =3D 0x0 len =3D #14 0xffffffff80a114a3 in devfs_write_f (fp=3D0xfffff8000d884140, uio=3D0xfffff80001aa3c80, cred=3D, flags=3D0, td=3D0xfffff8000d8c7780) at /usr/src/sys/fs/devfs/devfs_vnops.c:1960 dev =3D 0xfffff800017fc800 ref =3D 1 fpop =3D 0x0 dsw =3D 0xffffffff81af2b68 error =3D 0 ioflag =3D 0 resid =3D 342 -Dimitry