From owner-freebsd-bugs@freebsd.org  Wed Jan 24 22:40:09 2018
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52830ECA735
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Wed, 24 Jan 2018 22:40:09 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.ysv.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id C502E7C1B7
 for <freebsd-bugs@FreeBSD.org>; Wed, 24 Jan 2018 22:40:08 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id DD46C1E109
 for <freebsd-bugs@FreeBSD.org>; Wed, 24 Jan 2018 22:40:07 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w0OMe7dp007079
 for <freebsd-bugs@FreeBSD.org>; Wed, 24 Jan 2018 22:40:07 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w0OMe7GW007078
 for freebsd-bugs@FreeBSD.org; Wed, 24 Jan 2018 22:40:07 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 225438] panic in6_unlink_ifa() due to race
Date: Wed, 24 Jan 2018 22:40:07 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.1-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: daveb@spectralogic.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-225438-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 22:40:09 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D225438

            Bug ID: 225438
           Summary: panic in6_unlink_ifa() due to race
           Product: Base System
           Version: 11.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: daveb@spectralogic.com

The following silly test case exposes a race in in6_unlink_ifa()
that panics because the second thread into in6_unlink_ifa() attempts
to remove the remove the address from &ifp->if_addrhead that the
first thread has already removed and freed:

while :
do
        /etc/rc.d/netif restart igb1 &
        /etc/rc.d/netif restart igb1 &
        wait
        sleep 5
done

-----------------------------------------
The panic thread:

Unread portion of the kernel message buffer:
panic: Bad link elm 0xfffff815570d7400 next->prev !=3D elm

Thread 1455 (Thread 102370):
(struct thread *)0xfffff811a0e49000, tid 102370
   ifconfig :: (struct proc *)0xfffff815570d6000, pid 5784
   args: /sbin/ifconfig igb1 inet6 fe80::225:90ff:fec9:a5fd -alias

#11 0xffffffff804bf103 in panic (fmt=3D<value optimized out>) at
sys/kern/kern_shutdown.c:690
#12 0xffffffff8067e6f4 in in6_unlink_ifa (ia=3D0xfffff815570d7400,
ifp=3D0xfffff8012150f800) at sys/netinet6/in6.c:1292
#13 0xffffffff8067c30b in in6_control (so=3D<value optimized out>, cmd=3D<v=
alue
optimized out>, data=3D<value optimized out>, ifp=3D<value optimized out>,
td=3D<value optimized out>) at sys/netinet6/in6.c:699
#14 0xffffffff805aef80 in ifioctl (so=3D<value optimized out>, cmd=3D216638=
4921,
data=3D0xfffff80158647c00 "igb1", td=3D0xfffff811a0e49000) at sys/net/if.c:=
2859
#15 0xffffffff80524ab4 in kern_ioctl (td=3D<value optimized out>, fd=3D<val=
ue
optimized out>, com=3D<value optimized out>, data=3D<value optimized out>) =
at
file.h:323
#16 0xffffffff8052476e in sys_ioctl (td=3D0xfffff811a0e49000,
uap=3D0xfffffe1b8e3afa30) at sys/kern/sys_generic.c:745

(kgdb) frame 12
#12 0xffffffff8067e6f4 in in6_unlink_ifa (ia=3D0xfffff815570d7400,
ifp=3D0xfffff8012150f800) at sys/netinet6/in6.c:1292

1292            TAILQ_REMOVE(&ifp->if_addrhead, &ia->ia_ifa, ifa_link);

Note:
In order to clearly show the where the panic occured, I wraped
in6_unlink_ifa() in #pragma  clang optimize off/on.
Without this the offending frame (#12) looks like:

#12 0xffffffff8067edba in in6_unlink_ifa (ia=3D0xfffff819e5dd5200, ifp=3D<v=
alue
optimized out>) at fnv_hash.h:29

-----------------------------------------
The thread that removed the address:

Thread 1456 (Thread 101967):
(struct thread *)0xfffff81557641000, tid 101967
   ifconfig :: (struct proc *)0xfffff81557595000, pid 5785
   args: /sbin/ifconfig igb1 inet6 fe80::225:90ff:fec9:a5fd -alias

#2  0xffffffff8078425a in trap (frame=3D0xfffffe1a5ddf1f30) at
sys/amd64/amd64/trap.c:185
#3  0xffffffff80768863 in nmi_calltrap () at sys/amd64/amd64/exception.S:510
#4  0xffffffff80510032 in smp_rendezvous_cpus (map=3D{__bits =3D
0xfffffe1b8e6ce580}, setup_func=3D0xffffffff8050fe80 <smp_no_rendevous_barr=
ier>,
action_func=3D<value optimized out>, teardown_func=3D<value optimized out>,
arg=3D<value optimized out>) at cpufunc.h:339
#5  0xffffffff804b98ae in _rm_wlock (rm=3D0xffffffff80eeeac0) at
sys/kern/kern_rmlock.c:558
#6  0xffffffff804b9b14 in _rm_wlock_debug (rm=3D0xffffffff80eeeac0,
file=3D0xffffffff80895d8d "sys/netinet6/in6.c", line=3D1301) at
sys/kern/kern_rmlock.c:610
#7  0xffffffff8067e7ae in in6_unlink_ifa (ia=3D0xfffff815570d7400,
ifp=3D0xfffff8012150f800) at sys/netinet6/in6.c:1301
#8  0xffffffff8067c30b in in6_control (so=3D<value optimized out>, cmd=3D<v=
alue
optimized out>, data=3D<value optimized out>, ifp=3D<value optimized out>,
td=3D<value optimized out>) at sys/netinet6/in6.c:699
#9  0xffffffff805aef80 in ifioctl (so=3D<value optimized out>, cmd=3D216638=
4921,
data=3D0xfffff81557272200 "igb1", td=3D0xfffff81557641000) at sys/net/if.c:=
2859
#10 0xffffffff80524ab4 in kern_ioctl (td=3D<value optimized out>, fd=3D<val=
ue
optimized out>, com=3D<value optimized out>, data=3D<value optimized out>) =
at
file.h:323
#11 0xffffffff8052476e in sys_ioctl (td=3D0xfffff81557641000,
uap=3D0xfffffe1b8e6cea30) at sys/kern/sys_generic.c:745

(kgdb) frame 7
#7  0xffffffff8067e7ae in in6_unlink_ifa (ia=3D0xfffff815570d7400,
ifp=3D0xfffff8012150f800) at sys/netinet6/in6.c:1301
1301            IN6_IFADDR_WLOCK();

--=20
You are receiving this mail because:
You are the assignee for the bug.=