Site Navigation

Date:      Fri, 01 Nov 2019 17:42:49 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 241646] netgraph/ng_bridge kernel panic after r353030
Message-ID:  <bug-241646-227@https.bugs.freebsd.org/bugzilla/>

---

next in thread | raw e-mail | index | archive | help

---

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D241646

            Bug ID: 241646
           Summary: netgraph/ng_bridge kernel panic after r353030
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: aleksandr.fedorov@itglobal.com

I observe the following kernel panic after r353030:

Reading symbols from /boot/kernel/kernel...
Reading symbols from /usr/lib/debug//boot/kernel/kernel.debug...

Unread portion of the kernel message buffer:
panic: ng_bridge_timeout: links: 1 !=3D 0
cpuid =3D 0
time =3D 1572351202
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe007184d=
890
vpanic() at vpanic+0x17e/frame 0xfffffe007184d8f0
panic() at panic+0x43/frame 0xfffffe007184d950
ng_bridge_timeout() at ng_bridge_timeout+0x1e1/frame 0xfffffe007184d990
ng_apply_item() at ng_apply_item+0xee/frame 0xfffffe007184da10
ng_snd_item() at ng_snd_item+0x2b0/frame 0xfffffe007184da50
ng_callout_trampoline() at ng_callout_trampoline+0x3f/frame 0xfffffe007184d=
a70
softclock_call_cc() at softclock_call_cc+0x14b/frame 0xfffffe007184db20
softclock() at softclock+0x7c/frame 0xfffffe007184db50
ithread_loop() at ithread_loop+0x1c6/frame 0xfffffe007184dbb0
fork_exit() at fork_exit+0x80/frame 0xfffffe007184dbf0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe007184dbf0
--- trap 0, rip =3D 0, rsp =3D 0, rbp =3D 0 ---
Uptime: 1h6m40s
Dumping 5780 out of 65374 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%..=
91%

__curthread ()
    at /afedorov/vstack-develop-freebsd/sys/amd64/include/pcpu_aux.h:55
55      /afedorov/vstack-develop-freebsd/sys/amd64/include/pcpu_aux.h: No s=
uch
file or directory.
(kgdb) #0  __curthread ()
    at /afedorov/vstack-develop-freebsd/sys/amd64/include/pcpu_aux.h:55
#1  doadump (textdump=3D1)
    at /afedorov/vstack-develop-freebsd/sys/kern/kern_shutdown.c:392
#2  0xffffffff80bc0750 in kern_reboot (howto=3D260)
    at /afedorov/vstack-develop-freebsd/sys/kern/kern_shutdown.c:479
#3  0xffffffff80bc0ba6 in vpanic (fmt=3D<optimized out>, ap=3D<optimized ou=
t>)
    at /afedorov/vstack-develop-freebsd/sys/kern/kern_shutdown.c:908
#4  0xffffffff80bc0903 in panic (fmt=3D<unavailable>)
    at /afedorov/vstack-develop-freebsd/sys/kern/kern_shutdown.c:835
#5  0xffffffff837481e1 in ng_bridge_timeout (node=3D0xfffff80023a7ac00,=20
    hook=3D<optimized out>, arg1=3D<optimized out>, arg2=3D<optimized out>)
    at /afedorov/vstack-develop-freebsd/sys/netgraph/ng_bridge.c:1021
#6  0xffffffff82e6b80e in ng_apply_item (node=3D0xfffff80023a7ac00,=20
    item=3D0xfffff8024fbf3c00, rw=3D<unavailable>)
    at /afedorov/vstack-develop-freebsd/sys/netgraph/ng_base.c:2474
#7  0xffffffff82e6b520 in ng_snd_item (item=3D0xfffff8024fbf3c00, flags=3D0)
    at /afedorov/vstack-develop-freebsd/sys/netgraph/ng_base.c:2320
#8  0xffffffff82e6d8ef in ng_callout_trampoline (arg=3D<unavailable>)
    at /afedorov/vstack-develop-freebsd/sys/netgraph/ng_base.c:3774
#9  0xffffffff80bdb1fb in softclock_call_cc (c=3D<optimized out>,=20
    cc=3D0xffffffff81db4e80 <cc_cpu>, direct=3D<optimized out>)
    at /afedorov/vstack-develop-freebsd/sys/kern/kern_timeout.c:740
#10 0xffffffff80bdb5ac in softclock (arg=3D0xffffffff81db4e80 <cc_cpu>)
    at /afedorov/vstack-develop-freebsd/sys/kern/kern_timeout.c:878


Panic occurs at
https://svnweb.freebsd.org/base/head/sys/netgraph/ng_bridge.c?revision=3D35=
3030&view=3Dmarkup#l1021

The ng_bridge_timeout () function calls NG_NODE_FOREACH_HOOK (node,
ng_bridge_unmute, &counter, ret).

But the ng_bridge_unmute () function does not change the value of the 'coun=
ter'
variable. So, KASSERT () is triggered.

The ng_bridge_unmute () function seems to have bugs.

--------------------------------
static int
ng_bridge_unmute(hook_p hook, void *arg)
{
        link_p link =3D NG_HOOK_PRIVATE(hook);
        node_p node =3D NG_HOOK_NODE(hook);
        priv_p priv =3D NG_NODE_PRIVATE(node);
        int *counter =3D arg; <<<< Get the int pointer!!!

        if (link->loopCount !=3D 0) {
                link->loopCount--;
                if (link->loopCount =3D=3D 0 && priv->conf.debugLevel >=3D =
2) {
                        log(LOG_INFO, "ng_bridge: %s:"
                            " restoring looped back %s\n",
                            ng_bridge_nodename(node), NG_HOOK_NAME(hook));
                }
        }
        counter++; <<<<< Increase address of local ponter
        return (1);
}
----------------------------------

As a workaround, I used the following patch:

diff --git a/sys/netgraph/ng_bridge.c b/sys/netgraph/ng_bridge.c
index cd649f0db1ce..44cb1330ee35 100644
--- a/sys/netgraph/ng_bridge.c
+++ b/sys/netgraph/ng_bridge.c
@@ -977,7 +977,8 @@ ng_bridge_unmute(hook_p hook, void *arg)
                            ng_bridge_nodename(node), NG_HOOK_NAME(hook));
                }
        }
-       counter++;
+
+       (*counter)++;
        return (1);
 }

But it seems to me that the 'counter' variable is not needed at all, like
KASSERT ().

--=20
You are receiving this mail because:
You are the assignee for the bug.=

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-241646-227>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact