From owner-freebsd-net@FreeBSD.ORG  Sat Feb 21 14:10:02 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5B769106564A
	for <freebsd-net@hub.freebsd.org>; Sat, 21 Feb 2009 14:10:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 3E5788FC15
	for <freebsd-net@hub.freebsd.org>; Sat, 21 Feb 2009 14:10:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n1LEA24l029104
	for <freebsd-net@freefall.freebsd.org>; Sat, 21 Feb 2009 14:10:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n1LEA2Lu029103;
	Sat, 21 Feb 2009 14:10:02 GMT (envelope-from gnats)
Date: Sat, 21 Feb 2009 14:10:02 GMT
Message-Id: <200902211410.n1LEA2Lu029103@freefall.freebsd.org>
To: freebsd-net@FreeBSD.org
From: Lucius Windschuh <lwindschuh@googlemail.com>
Cc: 
Subject: Re: kern/116837: [tun] [panic] [patch] ifconfig tunX destroy: panic
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Lucius Windschuh <lwindschuh@googlemail.com>
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Feb 2009 14:10:02 -0000

The following reply was made to PR kern/116837; it has been noted by GNATS.

From: Lucius Windschuh <lwindschuh@googlemail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/116837: [tun] [panic] [patch] ifconfig tunX destroy: panic
Date: Sat, 21 Feb 2009 14:27:45 +0100

 This is a follow-up to PR kern/116837. The described issue is solved,
 but now we have this issue.
 The following simple steps lead to a kernel panic on my system (i386,
 SMP, 8-CURRENT from Feb. 18th):
 
 -->8--
 cat < /dev/tun0 > /dev/tun0 &
 ifconfig tun0 up
 ifconfig tun0 destroy & ifconfig tun0 destroy
 --8<--
 
 Panic string: Bad link elm 0xc6437c00 prev->next != elm
 
 Responsible backtraces:
 
 Tracing pid 1610 tid 100114 td 0xc686f240
 kdb_enter(c090abd7,c090abd7,c08e2418,eaefeb6c,0,...) at kdb_enter+0x3a
 panic(c08e2418,c6437c00,c091867f,d3,2d,...) at panic+0x136
 if_clone_destroyif(c0976300,c6437c00,c091867f,bf,0,...) at
 if_clone_destroyif+0x8a
 if_clone_destroy(c724f320,19c,eaefebd4,c0604976,c1494788,...) at
 if_clone_destroy+0xa2
 ifioctl(c7077dc8,80206979,c724f320,c686f240,80206979,...) at ifioctl+0x116
 soo_ioctl(c71deaf0,80206979,c724f320,c722a000,c686f240,...) at soo_ioctl+0x397
 kern_ioctl(c686f240,3,80206979,c724f320,64c3c0,...) at kern_ioctl+0x1dd
 ioctl(c686f240,eaefecf8,c,c,c09644b0,...) at ioctl+0x134
 syscall(eaefed38) at syscall+0x2a3
 Xint0x80_syscall() at Xint0x80_syscall+0x20
 
 Tracing command ifconfig pid 1611 tid 100194 td 0xc6c9b000
 sched_switch(c6c9b000,0,104,18d,5796c911,...) at sched_switch+0x437
 mi_switch(104,0,c090edc3,1d2,0,...) at mi_switch+0x200
 sleepq_switch(c6c9b000,0,c090edc3,247,c6c9b000,...) at sleepq_switch+0x15f
 sleepq_wait(c69aa850,0,c0918d9f,1,0,...) at sleepq_wait+0x63
 _cv_wait_unlock(c69aa850,c69aa83c,c0918d76,102,c69aa800,...) at
 _cv_wait_unlock+0x1d4
 tun_destroy(c09ca0d8,0,c0918d76,11c) at tun_destroy+0x49
 tun_clone_destroy(c6437c00,c6437c00,c6437c00,c0976300,eb04eb88,...) at
 tun_clone_destroy+0xb8
 ifc_simple_destroy(c0976300,c6437c00,c091867f,d5,2d,...) at
 ifc_simple_destroy+0x27
 if_clone_destroyif(c0976300,c6437c00,c091867f,bf,0,...) at
 if_clone_destroyif+0xe1
 if_clone_destroy(c677cb20,19c,eb04ebd4,c0604976,c1494788,...) at
 if_clone_destroy+0xa2
 ifioctl(c7257620,80206979,c677cb20,c6c9b000,80206979,...) at ifioctl+0x116
 soo_ioctl(c7285bd0,80206979,c677cb20,c722a000,c6c9b000,...) at soo_ioctl+0x397
 kern_ioctl(c6c9b000,3,80206979,c677cb20,64c3c0,...) at kern_ioctl+0x1dd
 ioctl(c6c9b000,eb04ecf8,c,c,c09644b0,...) at ioctl+0x134
 syscall(eb04ed38) at syscall+0x2a3
 Xint0x80_syscall() at Xint0x80_syscall+0x20
 --- syscall (54, FreeBSD ELF32, ioctl), eip = 0x281b4b83, esp =
 0xbfbfe47c, ebp = 0xbfbfe498 ---
 
 OK, it's odd to destroy an interface two times in parallel. But it
 shouldn't crash the kernel. ;-)
 
 This panic is triggered reliably.
 To rule out side effects of my kernel config, I ran the same test with
 the GENERIC config and got the same result: panic.
 
 The textdump is available here:
 http://sites.google.com/site/lwfreebsd/Home/files/tun0-double-destroy.zip?attredirects=0
 
 I can supply more information if needed.
 
 
 Kind regards,
 
 Lucius