Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 3 Oct 2005 04:37:41 +0400 (MSD)
From:      Yar Tikhiy <yar@comp.chem.msu.su>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        mlaier@FreeBSD.org, glebius@FreeBSD.org
Subject:   kern/86848: [pf][multicast] destroying active syncdev leads to panic
Message-ID:  <200510030037.j930bfsV025924@behemoth.ramtel.ru>
Resent-Message-ID: <200510030040.j930eI7F088286@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         86848
>Category:       kern
>Synopsis:       [pf][multicast] destroying active syncdev leads to panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 03 00:40:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Yar Tikhiy
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
MSU
>Environment:
	CURRENT
	
>Description:
	If you destroy an interface that is acting as syncdev
	for pfsync0, the system will panic as soon as the next
	pfsync update is sent out, i.e., in a moment.

	This looks like another case of deref'ing a cached pointer
	to a now-dead interface by IP multicast code.  Such cases
	should be dealt with at once IMHO instead of rolling particular
	solutions to each of them.

	The panic is reproducible.  The stack trace is as follows:

	(kgdb) bt
	#0  doadump () at pcpu.h:165
	#1  0xc04daa04 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
	#2  0xc04dacaf in panic (fmt=0xc06439b5 "from debugger")
	    at /usr/src/sys/kern/kern_shutdown.c:555
	#3  0xc045b549 in db_panic (addr=-1068253756, have_addr=0, count=-1, modif=0xcc7f4918 "")
	    at /usr/src/sys/ddb/db_command.c:434
	#4  0xc045b4e0 in db_command (last_cmdp=0xc06a1504, cmd_table=0x0,
	    aux_cmd_tablep=0xc066fd40, aux_cmd_tablep_end=0xc066fd44)
	    at /usr/src/sys/ddb/db_command.c:403
	#5  0xc045b5a8 in db_command_loop () at /usr/src/sys/ddb/db_command.c:454
	#6  0xc045d19d in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
	#7  0xc04f26d3 in kdb_trap (type=12, code=0, tf=0xcc7f4ab0)
	    at /usr/src/sys/kern/subr_kdb.c:473
	#8  0xc062b984 in trap_fatal (frame=0xcc7f4ab0, eva=3735929054)
	    at /usr/src/sys/i386/i386/trap.c:822
	#9  0xc062b6f3 in trap_pfault (frame=0xcc7f4ab0, usermode=0, eva=3735929054)
	    at /usr/src/sys/i386/i386/trap.c:742
	#10 0xc062b33d in trap (frame=
	      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = -1067127111, tf_ebp = -864072976, tf_isp = -864072996, tf_ebx = -1067127084, tf_edx = -559038242, tf_ecx = 0, tf_eax = -559038242, tf_trapno = 12, tf_err = 0, tf_eip = -1068253756, tf_cs = 32, tf_eflags = 582, tf_esp = -864072776, tf_ss = -1068545840}) at /usr/src/sys/i386/i386/trap.c:432
	#11 0xc061e21a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
	#12 0xc053bdc4 in strlen (str=0xdeadc0de <Address 0xdeadc0de out of bounds>)
	    at /usr/src/sys/libkern/strlen.c:41
	#13 0xc04f48d0 in kvprintf (fmt=0xc064eed4 " @ %s:%d", func=0xc04f41f8 <snprintf_func>,
	    arg=0xcc7f4bd4, radix=10, ap=0xcc7f4c1c "l²eÀ(\001")
	    at /usr/src/sys/kern/subr_prf.c:679
	#14 0xc04f4195 in vsnprintf (str=0xdeadc0de <Address 0xdeadc0de out of bounds>,
	    size=3735929054, format=0xc064eeb9 "mtx_lock() of spin mutex %s @ %s:%d",
	    ap=0xcc7f4c18 "ÞÀ­Þl²eÀ(\001") at /usr/src/sys/kern/subr_prf.c:413
	#15 0xc04dabfb in panic (fmt=0xc064eeb9 "mtx_lock() of spin mutex %s @ %s:%d")
	    at /usr/src/sys/kern/kern_shutdown.c:522
	---Type <return> to continue, or q <return> to quit---
	#16 0xc04d308b in _mtx_lock_flags (m=0xc1284660, opts=0,
	    file=0xc065b26c "/usr/src/sys/netinet/ip_output.c", line=296)
	    at /usr/src/sys/kern/kern_mutex.c:269
	#17 0xc0554447 in ip_output (m=0xc14b2100, opt=0xc1394aa8, ro=0xcc7f4c5c, flags=2,
	    imo=0xc122f208, inp=0x0) at /usr/src/sys/netinet/ip_output.c:296
	#18 0xc0435fa2 in pfsync_senddef (arg=0xc122f200)
	    at /usr/src/sys/contrib/pf/net/if_pfsync.c:1836
	#19 0xc04e5d9d in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:290
	#20 0xc04c873c in ithread_loop (arg=0xc1104600) at /usr/src/sys/kern/kern_intr.c:547
	#21 0xc04c7bac in fork_exit (callout=0xc04c85f8 <ithread_loop>, arg=0xc1104600,
	    frame=0xcc7f4d38) at /usr/src/sys/kern/kern_fork.c:789
	#22 0xc061e27c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
	(kgdb) frame 17
	#17 0xc0554447 in ip_output (m=0xc14b2100, opt=0xc1394aa8, ro=0xcc7f4c5c, flags=2,
	    imo=0xc122f208, inp=0x0) at /usr/src/sys/netinet/ip_output.c:296
	296                     IN_LOOKUP_MULTI(ip->ip_dst, ifp, inm);
	(kgdb) frame 18
	#18 0xc0435fa2 in pfsync_senddef (arg=0xc122f200)
	    at /usr/src/sys/contrib/pf/net/if_pfsync.c:1836
	1836                    if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL))

>How-To-Repeat:
	ifconfig vlan1 ... up
	ifconfig pfsync0 syncdev vlan1 up
	ifconfig vlan1 unplumb
	[panic!]

>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510030037.j930bfsV025924>