Site Navigation

Date:      Mon, 25 Dec 2023 17:18:12 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 275920] Kernel crash in sys/netlink/route/iface.c:124
Message-ID:  <bug-275920-7501-sjUPXz6Aj8@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-275920-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-275920-7501@https.bugs.freebsd.org/bugzilla/>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D275920

--- Comment #4 from Kristof Provost <kp@freebsd.org> ---
That code lives in sys/dev/etherswitch/e6000sw/e6000sw.c

It creates a struct ifnet for each port in e6000sw_attach() /
e6000sw_init_interface(). It never actually attached that ifnet though. I
believe it's only created so e6000sw can call into the mii code, which is a=
lso
how I think we eventually end up in the panicing stack. There's a link state
event, which calls do_link_state_change() -> rtnl_handle_ifevent() ->
dump_iface() -> get_operstate() -> get_operstate_ether(). That wants to kno=
w if
the link is up or down, so it tries to ioctl(SIOCGIFMEDIA). Which doesn't go
well if if_ioctl is NULL.

Here's the relevant bit of backtrace:=20

#7  0x0000000000000000 in ?? ()
#8  0xffff0000006f87f4 in get_operstate_ether (ifp=3D0xffffa00002f7d000,=20
    pstate=3D<optimized out>) at /usr/src/sys/netlink/route/iface.c:124
#9  get_operstate (ifp=3D0xffffa00002f7d000, pstate=3D<optimized out>)
    at /usr/src/sys/netlink/route/iface.c:181
#10 dump_iface (nw=3Dnw@entry=3D0xffff0000877e0780,=20
    ifp=3Difp@entry=3D0xffffa00002f7d000, hdr=3Dhdr@entry=3D0xffff0000877e0=
7c0,=20
    if_flags_mask=3Dif_flags_mask@entry=3D0)
    at /usr/src/sys/netlink/route/iface.c:310
#11 0xffff0000006f80cc in rtnl_handle_ifevent (ifp=3D0xffffa00002f7d000,=20
    nlmsg_type=3D<optimized out>, if_flags_mask=3D0)
    at /usr/src/sys/netlink/route/iface.c:1411
#12 0xffff0000005f9cb8 in do_link_state_change (arg=3D0xffffa00002f7d000,=20
    pending=3D1) at /usr/src/sys/net/if.c:2181
#13 0xffff000000525bf0 in taskqueue_run_locked (
    queue=3Dqueue@entry=3D0xffffa0000136d300)
    at /usr/src/sys/kern/subr_taskqueue.c:512
#14 0xffff00000052594c in taskqueue_run (queue=3D0xffffa0000136d300)
    at /usr/src/sys/kern/subr_taskqueue.c:527

--=20
You are receiving this mail because:
You are the assignee for the bug.=

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-275920-7501-sjUPXz6Aj8>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact