Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 19 Jun 2020 17:49:07 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 246819] Kernel panic with ifconfig destroy
Message-ID:  <bug-246819-7501-FlWp6cFm6o@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-246819-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-246819-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D246819

Mark Johnston <markj@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|New                         |Open
                 CC|                            |markj@FreeBSD.org

--- Comment #3 from Mark Johnston <markj@FreeBSD.org> ---
(In reply to Ashish Gupta from comment #2)
Looks like we are panicking because the counters in the in6_ifstat block are
freed.  In particular, the panic happens while executing:

 790                 in6_ifstat_inc(ifp, ifs6_out_request);

which expands to

545 #define in6_ifstat_inc(ifp, tag) \=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20
546 do {                                                            \=20=20=
=20=20=20=20=20=20=20=20=20
547         if (ifp)                                                \=20=20=
=20=20=20=20=20=20=20=20=20
548                 counter_u64_add(((struct in6_ifextra *)         \=20=20=
=20=20=20=20=20=20=20=20=20
549                     ((ifp)->if_afdata[AF_INET6]))->in6_ifstat[  \=20=20=
=20=20=20=20=20=20=20=20=20
550                     offsetof(struct in6_ifstat, tag) / sizeof(uint64_t)=
],
1);\=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20
551 } while (/*CONSTCOND*/ 0)

and the fault address is 0, so it shouldn't be from the if_afdata dereferen=
ce
or the in6_ifstat dereference (since ifs6_out_request is not the first coun=
ter
in the block).

So the interface is already destroyed, but we are sending TCP keepalives
through it.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-246819-7501-FlWp6cFm6o>