From owner-freebsd-net@FreeBSD.ORG Tue Aug 17 16:08:54 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BD0C1065693 for ; Tue, 17 Aug 2010 16:08:54 +0000 (UTC) (envelope-from nima_misa@hotmail.com) Received: from col0-omc2-s17.col0.hotmail.com (col0-omc2-s17.col0.hotmail.com [65.55.34.91]) by mx1.freebsd.org (Postfix) with ESMTP id 6CEDB8FC16 for ; Tue, 17 Aug 2010 16:08:54 +0000 (UTC) Received: from COL117-W47 ([65.55.34.71]) by col0-omc2-s17.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 17 Aug 2010 08:56:51 -0700 Message-ID: X-Originating-IP: [64.7.137.162] From: Nima Misaghian To: Date: Tue, 17 Aug 2010 15:56:51 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 17 Aug 2010 15:56:51.0755 (UTC) FILETIME=[CEAF97B0:01CB3E24] Content-Type: text/plain; charset="windows-1256" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Kernel panic from interface address list manipulation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2010 16:08:54 -0000 I’ve been able to trivially trigger a kernel panic while testing ifaddr list manipulation on –CURRENT (r 211427). The hardware is a four-core i386 machine with em interfaces. This is the test script I’ve used to trigger the problem: #!/bin/sh addr_loop() { while true do ifconfig em1 1.0.0.1/24 ifconfig em1 -alias 1.0.0.1 done } addr_loop & addr_loop & With WITNESS and INVARIANTS the panic happens immediately upon starting the script, with the following backtrace: panic: Bad link elm 0xd17aec00 prev->next != elm #0 doadump () at pcpu.h:231 231 pcpu.h: No such file or directory. in pcpu.h (kgdb) #0 doadump () at pcpu.h:231 #1 0xc088a4ef in boot (howto=260) at /d2/head/sys/kern/kern_shutdown.c:416 #2 0xc088a7bb in panic (fmt=Variable "fmt" is not available. ) at /d2/head/sys/kern/kern_shutdown.c:590 #3 0xc098caf8 in in_control (so=0xd30af4d4, cmd=2151704858, data=0xd1923b80 "em1", ifp=0xd1554800, td=0xd31262c0) at /d2/head/sys/netinet/in.c:602 #4 0xc0938869 in ifioctl (so=0xd30af4d4, cmd=2151704858, data=0xd1923b80 "em1", td=0xd31262c0) at /d2/head/sys/net/if.c:2469 #5 0xc08d7e6b in soo_ioctl (fp=0xd2540ce8, cmd=2151704858, data=0xd1923b80, active_cred=0xd2594900, td=0xd31262c0) at /d2/head/sys/kern/sys_socket.c:212 #6 0xc08d2075 in kern_ioctl (td=0xd31262c0, fd=3, com=2151704858, data=0xd1923b80 "em1") at file.h:254 #7 0xc08d21e2 in ioctl (td=0xd31262c0, uap=0xf3a2ecec) at /d2/head/sys/kern/sys_generic.c:678 #8 0xc08c77d8 in syscallenter (td=0xd31262c0, sa=0xf3a2ece4) at /d2/head/sys/kern/subr_trap.c:319 #9 0xc0bb18f3 in syscall (frame=0xf3a2ed28) at /d2/head/sys/i386/i386/trap.c:1060 #10 0xc0b9a231 in Xint0x80_syscall () at /d2/head/sys/i386/i386/exception.s:264 #11 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) I’ve also reproduced it without WITNESS and INVARIANTS, but it seems to need additional copies of the script running simultaneously and still takes longer to panic. I’ve produced several different backtraces from the non-debugging kernel.