Date: Sat, 21 Feb 2009 14:10:02 GMT From: Lucius Windschuh <lwindschuh@googlemail.com> To: freebsd-net@FreeBSD.org Subject: Re: kern/116837: [tun] [panic] [patch] ifconfig tunX destroy: panic Message-ID: <200902211410.n1LEA2Lu029103@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/116837; it has been noted by GNATS. From: Lucius Windschuh <lwindschuh@googlemail.com> To: bug-followup@freebsd.org Cc: Subject: Re: kern/116837: [tun] [panic] [patch] ifconfig tunX destroy: panic Date: Sat, 21 Feb 2009 14:27:45 +0100 This is a follow-up to PR kern/116837. The described issue is solved, but now we have this issue. The following simple steps lead to a kernel panic on my system (i386, SMP, 8-CURRENT from Feb. 18th): -->8-- cat < /dev/tun0 > /dev/tun0 & ifconfig tun0 up ifconfig tun0 destroy & ifconfig tun0 destroy --8<-- Panic string: Bad link elm 0xc6437c00 prev->next != elm Responsible backtraces: Tracing pid 1610 tid 100114 td 0xc686f240 kdb_enter(c090abd7,c090abd7,c08e2418,eaefeb6c,0,...) at kdb_enter+0x3a panic(c08e2418,c6437c00,c091867f,d3,2d,...) at panic+0x136 if_clone_destroyif(c0976300,c6437c00,c091867f,bf,0,...) at if_clone_destroyif+0x8a if_clone_destroy(c724f320,19c,eaefebd4,c0604976,c1494788,...) at if_clone_destroy+0xa2 ifioctl(c7077dc8,80206979,c724f320,c686f240,80206979,...) at ifioctl+0x116 soo_ioctl(c71deaf0,80206979,c724f320,c722a000,c686f240,...) at soo_ioctl+0x397 kern_ioctl(c686f240,3,80206979,c724f320,64c3c0,...) at kern_ioctl+0x1dd ioctl(c686f240,eaefecf8,c,c,c09644b0,...) at ioctl+0x134 syscall(eaefed38) at syscall+0x2a3 Xint0x80_syscall() at Xint0x80_syscall+0x20 Tracing command ifconfig pid 1611 tid 100194 td 0xc6c9b000 sched_switch(c6c9b000,0,104,18d,5796c911,...) at sched_switch+0x437 mi_switch(104,0,c090edc3,1d2,0,...) at mi_switch+0x200 sleepq_switch(c6c9b000,0,c090edc3,247,c6c9b000,...) at sleepq_switch+0x15f sleepq_wait(c69aa850,0,c0918d9f,1,0,...) at sleepq_wait+0x63 _cv_wait_unlock(c69aa850,c69aa83c,c0918d76,102,c69aa800,...) at _cv_wait_unlock+0x1d4 tun_destroy(c09ca0d8,0,c0918d76,11c) at tun_destroy+0x49 tun_clone_destroy(c6437c00,c6437c00,c6437c00,c0976300,eb04eb88,...) at tun_clone_destroy+0xb8 ifc_simple_destroy(c0976300,c6437c00,c091867f,d5,2d,...) at ifc_simple_destroy+0x27 if_clone_destroyif(c0976300,c6437c00,c091867f,bf,0,...) at if_clone_destroyif+0xe1 if_clone_destroy(c677cb20,19c,eb04ebd4,c0604976,c1494788,...) at if_clone_destroy+0xa2 ifioctl(c7257620,80206979,c677cb20,c6c9b000,80206979,...) at ifioctl+0x116 soo_ioctl(c7285bd0,80206979,c677cb20,c722a000,c6c9b000,...) at soo_ioctl+0x397 kern_ioctl(c6c9b000,3,80206979,c677cb20,64c3c0,...) at kern_ioctl+0x1dd ioctl(c6c9b000,eb04ecf8,c,c,c09644b0,...) at ioctl+0x134 syscall(eb04ed38) at syscall+0x2a3 Xint0x80_syscall() at Xint0x80_syscall+0x20 --- syscall (54, FreeBSD ELF32, ioctl), eip = 0x281b4b83, esp = 0xbfbfe47c, ebp = 0xbfbfe498 --- OK, it's odd to destroy an interface two times in parallel. But it shouldn't crash the kernel. ;-) This panic is triggered reliably. To rule out side effects of my kernel config, I ran the same test with the GENERIC config and got the same result: panic. The textdump is available here: http://sites.google.com/site/lwfreebsd/Home/files/tun0-double-destroy.zip?attredirects=0 I can supply more information if needed. Kind regards, Lucius
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200902211410.n1LEA2Lu029103>