Date: Wed, 24 Jan 2018 22:40:07 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 225438] panic in6_unlink_ifa() due to race Message-ID: <bug-225438-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D225438 Bug ID: 225438 Summary: panic in6_unlink_ifa() due to race Product: Base System Version: 11.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: daveb@spectralogic.com The following silly test case exposes a race in in6_unlink_ifa() that panics because the second thread into in6_unlink_ifa() attempts to remove the remove the address from &ifp->if_addrhead that the first thread has already removed and freed: while : do /etc/rc.d/netif restart igb1 & /etc/rc.d/netif restart igb1 & wait sleep 5 done ----------------------------------------- The panic thread: Unread portion of the kernel message buffer: panic: Bad link elm 0xfffff815570d7400 next->prev !=3D elm Thread 1455 (Thread 102370): (struct thread *)0xfffff811a0e49000, tid 102370 ifconfig :: (struct proc *)0xfffff815570d6000, pid 5784 args: /sbin/ifconfig igb1 inet6 fe80::225:90ff:fec9:a5fd -alias #11 0xffffffff804bf103 in panic (fmt=3D<value optimized out>) at sys/kern/kern_shutdown.c:690 #12 0xffffffff8067e6f4 in in6_unlink_ifa (ia=3D0xfffff815570d7400, ifp=3D0xfffff8012150f800) at sys/netinet6/in6.c:1292 #13 0xffffffff8067c30b in in6_control (so=3D<value optimized out>, cmd=3D<v= alue optimized out>, data=3D<value optimized out>, ifp=3D<value optimized out>, td=3D<value optimized out>) at sys/netinet6/in6.c:699 #14 0xffffffff805aef80 in ifioctl (so=3D<value optimized out>, cmd=3D216638= 4921, data=3D0xfffff80158647c00 "igb1", td=3D0xfffff811a0e49000) at sys/net/if.c:= 2859 #15 0xffffffff80524ab4 in kern_ioctl (td=3D<value optimized out>, fd=3D<val= ue optimized out>, com=3D<value optimized out>, data=3D<value optimized out>) = at file.h:323 #16 0xffffffff8052476e in sys_ioctl (td=3D0xfffff811a0e49000, uap=3D0xfffffe1b8e3afa30) at sys/kern/sys_generic.c:745 (kgdb) frame 12 #12 0xffffffff8067e6f4 in in6_unlink_ifa (ia=3D0xfffff815570d7400, ifp=3D0xfffff8012150f800) at sys/netinet6/in6.c:1292 1292 TAILQ_REMOVE(&ifp->if_addrhead, &ia->ia_ifa, ifa_link); Note: In order to clearly show the where the panic occured, I wraped in6_unlink_ifa() in #pragma clang optimize off/on. Without this the offending frame (#12) looks like: #12 0xffffffff8067edba in in6_unlink_ifa (ia=3D0xfffff819e5dd5200, ifp=3D<v= alue optimized out>) at fnv_hash.h:29 ----------------------------------------- The thread that removed the address: Thread 1456 (Thread 101967): (struct thread *)0xfffff81557641000, tid 101967 ifconfig :: (struct proc *)0xfffff81557595000, pid 5785 args: /sbin/ifconfig igb1 inet6 fe80::225:90ff:fec9:a5fd -alias #2 0xffffffff8078425a in trap (frame=3D0xfffffe1a5ddf1f30) at sys/amd64/amd64/trap.c:185 #3 0xffffffff80768863 in nmi_calltrap () at sys/amd64/amd64/exception.S:510 #4 0xffffffff80510032 in smp_rendezvous_cpus (map=3D{__bits =3D 0xfffffe1b8e6ce580}, setup_func=3D0xffffffff8050fe80 <smp_no_rendevous_barr= ier>, action_func=3D<value optimized out>, teardown_func=3D<value optimized out>, arg=3D<value optimized out>) at cpufunc.h:339 #5 0xffffffff804b98ae in _rm_wlock (rm=3D0xffffffff80eeeac0) at sys/kern/kern_rmlock.c:558 #6 0xffffffff804b9b14 in _rm_wlock_debug (rm=3D0xffffffff80eeeac0, file=3D0xffffffff80895d8d "sys/netinet6/in6.c", line=3D1301) at sys/kern/kern_rmlock.c:610 #7 0xffffffff8067e7ae in in6_unlink_ifa (ia=3D0xfffff815570d7400, ifp=3D0xfffff8012150f800) at sys/netinet6/in6.c:1301 #8 0xffffffff8067c30b in in6_control (so=3D<value optimized out>, cmd=3D<v= alue optimized out>, data=3D<value optimized out>, ifp=3D<value optimized out>, td=3D<value optimized out>) at sys/netinet6/in6.c:699 #9 0xffffffff805aef80 in ifioctl (so=3D<value optimized out>, cmd=3D216638= 4921, data=3D0xfffff81557272200 "igb1", td=3D0xfffff81557641000) at sys/net/if.c:= 2859 #10 0xffffffff80524ab4 in kern_ioctl (td=3D<value optimized out>, fd=3D<val= ue optimized out>, com=3D<value optimized out>, data=3D<value optimized out>) = at file.h:323 #11 0xffffffff8052476e in sys_ioctl (td=3D0xfffff81557641000, uap=3D0xfffffe1b8e6cea30) at sys/kern/sys_generic.c:745 (kgdb) frame 7 #7 0xffffffff8067e7ae in in6_unlink_ifa (ia=3D0xfffff815570d7400, ifp=3D0xfffff8012150f800) at sys/netinet6/in6.c:1301 1301 IN6_IFADDR_WLOCK(); --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-225438-8>