From owner-freebsd-net@FreeBSD.ORG Sat Feb 21 00:17:00 2009 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CAE7106568F for ; Sat, 21 Feb 2009 00:17:00 +0000 (UTC) (envelope-from lwindschuh@googlemail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.239]) by mx1.freebsd.org (Postfix) with ESMTP id 3F2648FC1D for ; Sat, 21 Feb 2009 00:17:00 +0000 (UTC) (envelope-from lwindschuh@googlemail.com) Received: by rv-out-0506.google.com with SMTP id g9so1084144rvb.3 for ; Fri, 20 Feb 2009 16:16:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=/bh9UPESinsfOPyB01waA68o+Z3Z9WkcEuow4J+gYmQ=; b=TNX8NIbrW1cBddrWJPNoFkHUm5LwelHS0vQU0+i9TJjiSq6gdttD/jFu/f8DOTgWrk 2j+5UbO8Ct4Y/wjQZv5StDOfqB7ZS4YxeNkq1MPL2rCb+q78BM5ZtZW+AIsDQZPuOp9M ZQGahmHwgCxfnKE0LoKGV7AK2PgdSQ2mdUXok= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=kjJv5MI4BOOiH9zHUTzbjRf38CWSIchMPZkJOVfuDUPyKtrX/gzZ7VOtkxAp9Pw+FY YXdhFEgMbyXKZgl1p9sIPZUMKGYU8MbkfDK1Z6C6EzLG+T+S3Ow42fa/h9BgwvVHumJf dnC/Wcryi5b9tZgDUgCkk/Je5QIqzyQpBPEjY= MIME-Version: 1.0 Received: by 10.141.62.9 with SMTP id p9mr657701rvk.80.1235173815028; Fri, 20 Feb 2009 15:50:15 -0800 (PST) Date: Sat, 21 Feb 2009 00:50:15 +0100 Message-ID: <90a5caac0902201550l4bf5878x17fd77c9c188a4ec@mail.gmail.com> From: Lucius Windschuh To: net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: ifconfig tun0 destroy: panic: Bad link elm ... prev->next != elm X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Feb 2009 00:17:01 -0000 Hi guys. This is a kind of follow-up to PR kern/116837 (please mark as solved?). The described issue is solved, but now we have this issue. The following simple steps lead to a kernel panic on my system (i386, SMP, CURRENT from Feb. 18th): -->8-- cat < /dev/tun0 > /dev/tun0 & ifconfig tun0 up ifconfig tun0 destroy & ifconfig tun0 destroy --8<-- Panic string: Bad link elm 0xc6437c00 prev->next != elm Responsible backtraces: Tracing pid 1610 tid 100114 td 0xc686f240 kdb_enter(c090abd7,c090abd7,c08e2418,eaefeb6c,0,...) at kdb_enter+0x3a panic(c08e2418,c6437c00,c091867f,d3,2d,...) at panic+0x136 if_clone_destroyif(c0976300,c6437c00,c091867f,bf,0,...) at if_clone_destroyif+0x8a if_clone_destroy(c724f320,19c,eaefebd4,c0604976,c1494788,...) at if_clone_destroy+0xa2 ifioctl(c7077dc8,80206979,c724f320,c686f240,80206979,...) at ifioctl+0x116 soo_ioctl(c71deaf0,80206979,c724f320,c722a000,c686f240,...) at soo_ioctl+0x397 kern_ioctl(c686f240,3,80206979,c724f320,64c3c0,...) at kern_ioctl+0x1dd ioctl(c686f240,eaefecf8,c,c,c09644b0,...) at ioctl+0x134 syscall(eaefed38) at syscall+0x2a3 Xint0x80_syscall() at Xint0x80_syscall+0x20 Tracing command ifconfig pid 1611 tid 100194 td 0xc6c9b000 sched_switch(c6c9b000,0,104,18d,5796c911,...) at sched_switch+0x437 mi_switch(104,0,c090edc3,1d2,0,...) at mi_switch+0x200 sleepq_switch(c6c9b000,0,c090edc3,247,c6c9b000,...) at sleepq_switch+0x15f sleepq_wait(c69aa850,0,c0918d9f,1,0,...) at sleepq_wait+0x63 _cv_wait_unlock(c69aa850,c69aa83c,c0918d76,102,c69aa800,...) at _cv_wait_unlock+0x1d4 tun_destroy(c09ca0d8,0,c0918d76,11c) at tun_destroy+0x49 tun_clone_destroy(c6437c00,c6437c00,c6437c00,c0976300,eb04eb88,...) at tun_clone_destroy+0xb8 ifc_simple_destroy(c0976300,c6437c00,c091867f,d5,2d,...) at ifc_simple_destroy+0x27 if_clone_destroyif(c0976300,c6437c00,c091867f,bf,0,...) at if_clone_destroyif+0xe1 if_clone_destroy(c677cb20,19c,eb04ebd4,c0604976,c1494788,...) at if_clone_destroy+0xa2 ifioctl(c7257620,80206979,c677cb20,c6c9b000,80206979,...) at ifioctl+0x116 soo_ioctl(c7285bd0,80206979,c677cb20,c722a000,c6c9b000,...) at soo_ioctl+0x397 kern_ioctl(c6c9b000,3,80206979,c677cb20,64c3c0,...) at kern_ioctl+0x1dd ioctl(c6c9b000,eb04ecf8,c,c,c09644b0,...) at ioctl+0x134 syscall(eb04ed38) at syscall+0x2a3 Xint0x80_syscall() at Xint0x80_syscall+0x20 --- syscall (54, FreeBSD ELF32, ioctl), eip = 0x281b4b83, esp = 0xbfbfe47c, ebp = 0xbfbfe498 --- OK, it's odd to destroy an interface two times in parallel. But it shouldn't crash the kernel. ;-) This panic is triggered reliably. To rule out side effects of my kernel config, I ran the same test with the GENERIC config and got the same result: panic. The textdump is available here: http://sites.google.com/site/lwfreebsd/Home/files/tun0-double-destroy.zip?attredirects=0 I can supply more information if needed. Kind regards, Lucius