From owner-freebsd-bugs@freebsd.org  Sun Aug  7 19:01:33 2016
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D43D9BB103C
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Sun,  7 Aug 2016 19:01:33 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id BA9231379
 for <freebsd-bugs@FreeBSD.org>; Sun,  7 Aug 2016 19:01:33 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u77J1X9G030904
 for <freebsd-bugs@FreeBSD.org>; Sun, 7 Aug 2016 19:01:33 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 211644] ifconfig concurrency bug (kernel panic)
Date: Sun, 07 Aug 2016 19:01:33 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 10.3-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: jeka@2x4.ru
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter cc
Message-ID: <bug-211644-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2016 19:01:33 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211644

            Bug ID: 211644
           Summary: ifconfig concurrency bug (kernel panic)
           Product: Base System
           Version: 10.3-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: jeka@2x4.ru
                CC: freebsd-amd64@FreeBSD.org
                CC: freebsd-amd64@FreeBSD.org

- can not add or remove ip from interface.
- system crash.

How to reproduce:

in first ssh console:

#!/bin/sh
ifconfig tap50 create

while [ 1 ] ; do
ifconfig tap50 alias 1.2.3.4/31
ifconfig tap50 -alias 1.2.3.4
done

in second ssh console:

#!/bin/sh
while [ 1 ] ; do
ifconfig tap50 alias 1.2.3.4/31
done

After few seconds system output: "can not assign requested address".
After this i can not add/remove this ip to interface.
If i wait about 1 minute with active scripts, kernel panic occurs.



Fatal trap 12: page fault while in kernel mode
cpuid =3D 1; apic id =3D 02
fault virtual address<->=3D 0x6000a1276
fault code<----><------>=3D supervisor read data, page not present
instruction pointer<--->=3D 0x20:0xffffffff80a0be89
stack pointer<->        =3D 0x28:0xfffffe0233db7270
frame pointer<->        =3D 0x28:0xfffffe0233db72e0
code segment<--><------>=3D base 0x0, limit 0xfffff, type 0x1b
<------><------><------>=3D DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags<------>=3D interrupt enabled, resume, IOPL =3D 0
current process><------>=3D 9118 (ifconfig)
trap number<---><------>=3D 12
panic: page fault
cpuid =3D 1
KDB: stack backtrace:
#0 0xffffffff808e7e90 at kdb_backtrace+0x60
#1 0xffffffff808af975 at panic+0x155
#2 0xffffffff80c8e832 at trap_fatal+0x3a2
#3 0xffffffff80c8eb09 at trap_pfault+0x2c9
#4 0xffffffff80c8e296 at trap+0x5e6
#5 0xffffffff80c75532 at calltrap+0x8
#6 0xffffffff809e1687 at sctp_addr_change+0x127
#7 0xffffffff8097aa34 at rt_newaddrmsg_fib+0x44
#8 0xffffffff80a56ca5 at in6_ifaddloop+0x1c5
#9 0xffffffff80a592b9 at in6_update_ifa+0xb99
#10 0xffffffff80a5d54d at in6_ifattach+0x2ed
#11 0xffffffff809682ef at ifioctl+0x7df
#12 0xffffffff808fdfae at kern_ioctl+0x22e
#13 0xffffffff808fdd2f at sys_ioctl+0x11f
#14 0xffffffff80c8f127 at amd64_syscall+0x357
#15 0xffffffff80c7581b at Xfast_syscall+0xfb
Uptime: 1h38m15s

(kgdb) #0  doadump (textdump=3D<value optimized out>) at pcpu.h:219
#1  0xffffffff808af5f0 in kern_reboot (howto=3D260)
    at /usr/src/sys/kern/kern_shutdown.c:447
#2  0xffffffff808af9b4 in panic (fmt=3D<value optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:754
#3  0xffffffff80c8e832 in trap_fatal (frame=3D<value optimized out>,.
    eva=3D<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:882
#4  0xffffffff80c8eb09 in trap_pfault (frame=3D0xfffffe0233db71c0, usermode=
=3D0)
    at /usr/src/sys/amd64/amd64/trap.c:699
#5  0xffffffff80c8e296 in trap (frame=3D0xfffffe0233db71c0)
    at /usr/src/sys/amd64/amd64/trap.c:463
#6  0xffffffff80c75532 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:232
#7  0xffffffff80a0be89 in sctp_add_addr_to_vrf (vrf_id=3D0,.
    ifn=3D0xfffff8017d899800, ifn_index=3D10, ifn_type=3D6,.
    if_name=3D0xfffff8017d899828 "tap8", ifa=3D0xfffff8017db6dc00,.
    addr=3D<value optimized out>) at /usr/src/sys/netinet/sctp_pcb.c:204
#8  0xffffffff809e1687 in sctp_addr_change (ifa=3D<value optimized out>,.
    cmd=3D<value optimized out>) at /usr/src/sys/netinet/sctp_bsd_addr.c:339
#9  0xffffffff8097aa34 in rt_newaddrmsg_fib (cmd=3D1, ifa=3D0xfffff8017db6d=
c00,.
    error=3D0, rt=3D0xfffffe0233db7400, fibnum=3D-1)
    at /usr/src/sys/net/rtsock.c:1368
#10 0xffffffff80a56ca5 in in6_ifaddloop (ifa=3D0xfffff8017db6dc00)
    at /usr/src/sys/netinet6/in6.c:187
#11 0xffffffff80a592b9 in in6_update_ifa (ifp=3D0xfffff8017d899800,.
    ifra=3D0xfffffe0233db7800, ia=3D<value optimized out>, flags=3D1)
    at /usr/src/sys/netinet6/in6.c:1946
#12 0xffffffff80a5d54d in in6_ifattach (ifp=3D0xfffff8017d899800,.
    altifp=3D<value optimized out>) at /usr/src/sys/netinet6/in6_ifattach.c=
:500
#13 0xffffffff809682ef in ifioctl (so=3D0xfffff8017db38828,.
    cmd=3D<value optimized out>, data=3D0xfffff80008cb3640 "tap8",.
    td=3D0xfffff8017d9c8000) at /usr/src/sys/net/if.c:2172
#14 0xffffffff808fdfae in kern_ioctl (td=3D0xfffff8017d9c8000,.
    fd=3D<value optimized out>, com=3D18446735284017666048) at file.h:319
#15 0xffffffff808fdd2f in sys_ioctl (td=3D0xfffff8017d9c8000,.
    uap=3D0xfffffe0233db7b40) at /usr/src/sys/kern/sys_generic.c:702
#16 0xffffffff80c8f127 in amd64_syscall (td=3D0xfffff8017d9c8000, traced=3D=
0)
    at subr_syscall.c:134
#17 0xffffffff80c7581b in Xfast_syscall ()
    at /usr/src/sys/amd64/amd64/exception.S:391
#18 0x00000008011a308a in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language:  auto; currently minimal

--=20
You are receiving this mail because:
You are the assignee for the bug.=