Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 21 Feb 2009 00:50:15 +0100
From:      Lucius Windschuh <lwindschuh@googlemail.com>
To:        net@freebsd.org
Subject:   ifconfig tun0 destroy: panic: Bad link elm ... prev->next != elm
Message-ID:  <90a5caac0902201550l4bf5878x17fd77c9c188a4ec@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hi guys.

This is a kind of follow-up to PR kern/116837 (please mark as
solved?). The described issue is solved, but now we have this issue.
The following simple steps lead to a kernel panic on my system (i386,
SMP, CURRENT from Feb. 18th):

-->8--
cat < /dev/tun0 > /dev/tun0 &
ifconfig tun0 up
ifconfig tun0 destroy & ifconfig tun0 destroy
--8<--

Panic string: Bad link elm 0xc6437c00 prev->next != elm

Responsible backtraces:

Tracing pid 1610 tid 100114 td 0xc686f240
kdb_enter(c090abd7,c090abd7,c08e2418,eaefeb6c,0,...) at kdb_enter+0x3a
panic(c08e2418,c6437c00,c091867f,d3,2d,...) at panic+0x136
if_clone_destroyif(c0976300,c6437c00,c091867f,bf,0,...) at
if_clone_destroyif+0x8a
if_clone_destroy(c724f320,19c,eaefebd4,c0604976,c1494788,...) at
if_clone_destroy+0xa2
ifioctl(c7077dc8,80206979,c724f320,c686f240,80206979,...) at ifioctl+0x116
soo_ioctl(c71deaf0,80206979,c724f320,c722a000,c686f240,...) at soo_ioctl+0x397
kern_ioctl(c686f240,3,80206979,c724f320,64c3c0,...) at kern_ioctl+0x1dd
ioctl(c686f240,eaefecf8,c,c,c09644b0,...) at ioctl+0x134
syscall(eaefed38) at syscall+0x2a3
Xint0x80_syscall() at Xint0x80_syscall+0x20

Tracing command ifconfig pid 1611 tid 100194 td 0xc6c9b000
sched_switch(c6c9b000,0,104,18d,5796c911,...) at sched_switch+0x437
mi_switch(104,0,c090edc3,1d2,0,...) at mi_switch+0x200
sleepq_switch(c6c9b000,0,c090edc3,247,c6c9b000,...) at sleepq_switch+0x15f
sleepq_wait(c69aa850,0,c0918d9f,1,0,...) at sleepq_wait+0x63
_cv_wait_unlock(c69aa850,c69aa83c,c0918d76,102,c69aa800,...) at
_cv_wait_unlock+0x1d4
tun_destroy(c09ca0d8,0,c0918d76,11c) at tun_destroy+0x49
tun_clone_destroy(c6437c00,c6437c00,c6437c00,c0976300,eb04eb88,...) at
tun_clone_destroy+0xb8
ifc_simple_destroy(c0976300,c6437c00,c091867f,d5,2d,...) at
ifc_simple_destroy+0x27
if_clone_destroyif(c0976300,c6437c00,c091867f,bf,0,...) at
if_clone_destroyif+0xe1
if_clone_destroy(c677cb20,19c,eb04ebd4,c0604976,c1494788,...) at
if_clone_destroy+0xa2
ifioctl(c7257620,80206979,c677cb20,c6c9b000,80206979,...) at ifioctl+0x116
soo_ioctl(c7285bd0,80206979,c677cb20,c722a000,c6c9b000,...) at soo_ioctl+0x397
kern_ioctl(c6c9b000,3,80206979,c677cb20,64c3c0,...) at kern_ioctl+0x1dd
ioctl(c6c9b000,eb04ecf8,c,c,c09644b0,...) at ioctl+0x134
syscall(eb04ed38) at syscall+0x2a3
Xint0x80_syscall() at Xint0x80_syscall+0x20
--- syscall (54, FreeBSD ELF32, ioctl), eip = 0x281b4b83, esp =
0xbfbfe47c, ebp = 0xbfbfe498 ---

OK, it's odd to destroy an interface two times in parallel. But it
shouldn't crash the kernel. ;-)

This panic is triggered reliably.
To rule out side effects of my kernel config, I ran the same test with
the GENERIC config and got the same result: panic.

The textdump is available here:
http://sites.google.com/site/lwfreebsd/Home/files/tun0-double-destroy.zip?attredirects=0

I can supply more information if needed.


Kind regards,

Lucius



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?90a5caac0902201550l4bf5878x17fd77c9c188a4ec>