Date: Thu, 18 Aug 2005 23:01:29 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Andrew Thompson <thompsa@freebsd.org> Cc: freebsd-current@freebsd.org, rwatson@FreeBSD.org Subject: Re: [PANIC] 6.0BETA2 in l2ping flood Message-ID: <20050818210128.GD18375@garage.freebsd.pl> In-Reply-To: <20050817231838.GA97927@heff.fud.org.nz> References: <b0ba593005081703416d19fbf4@mail.gmail.com> <20050817231838.GA97927@heff.fud.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
--rqzD5py0kzyFAOWN Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 18, 2005 at 11:18:38AM +1200, Andrew Thompson wrote: +> On Wed, Aug 17, 2005 at 12:41:07PM +0200, Jonatan B wrote: +> > This is a repeatable panic I get when l2ping flooding my tungsten. +> > Maksim? +> >=20 +> > repeatable panic with bluetooth on SMP +> >=20 +> > #> l2ping -fa MyTungsten -s 65531 +> >=20 +>=20 +> Interesting... I can get exactly the same panic by doing +>=20 +> ifconfig bridge0 create +> <'tcpdump -i bridge0' on another terminal> +> ifconfig bridge0 up +> ifconfig bridge0 destroy +>=20 +> So far I have been unable to find the cause. Those kind of bugs are because of inproper use of callout(9). Here, when you destroy bridge0, callout handle is also destroyed, but on detach, bpf wants to turn off promiscuous mode and call bridge_init(), because it doesn't have IFF_DRV_RUNNING flag set. bridge_init() calls callout_reset() on destroyed callout handle. I placed KASSERT() there and below is more interesting backtrace. I wonder if the same problem exists for other removable interfaces like PCMCIA. panic: HERE KDB: enter: panic [thread pid 427 tid 100066 ] Stopped at kdb_enter+0x2b: nop =20 db> tr Tracing pid 427 tid 100066 td 0xc1209d80 kdb_enter(c05ecb23) at kdb_enter+0x2b panic(c1252128,80206910,c0ff9800,c88b7b4c,c124df85) at panic+0xbb bridge_init(c1125200,c112520c,c1209d80,c1125200,c04c5cf3) at bridge_init+0x= 71 bridge_ioctl(c0ff9800,80206910,c88b7b68,1,101) at bridge_ioctl+0x11d if_setflag(c0ff9800,100,20000,c0ff9844,0) at if_setflag+0x120 ifpromisc(c0ff9800,0) at ifpromisc+0x23 bpf_detachd(c1125900,c1125900,c0ff9800,c112520c,c0ff9800) at bpf_detachd+0x= ae bpfdetach(c0ff9800,c1125200,c88b7c2c,c124e0f8,c0ff9800) at bpfdetach+0xb4 ether_ifdetach(c0ff9800,c1253440,0,c12520be,1f7) at ether_ifdetach+0x34 bridge_clone_destroy(c0ff9800,c12532b0,c1253280,c88b7c60,c05150da) at bridg= e_clone_destroy+0x9c ifc_simple_destroy(c1253280,c0ff9800,2d,80206979,c10556f4) at ifc_simple_de= stroy+0x1e if_clone_destroy(c0fddbc0,c05ee1ed,80206979,c10556f4,c0fddbc0) at if_clone_= destroy+0xf6 ifioctl(c10556f4,80206979,c0fddbc0,c1209d80,0) at ifioctl+0x84 soo_ioctl(c1060090,80206979,c0fddbc0,c1237400,c1209d80) at soo_ioctl+0x2db ioctl(c1209d80,c88b7d04,3,0,282) at ioctl+0x370 syscall(3b,3b,3b,bfbfec8c,bfbfed85) at syscall+0x22f Xint0x80_syscall() at Xint0x80_syscall+0x1f --- syscall (54, FreeBSD ELF32, ioctl), eip =3D 0x28136b5b, esp =3D 0xbfbfe= 3cc, ebp =3D 0xbfbfe3e8 --- Do we need yet another flag to mark interface as dying? --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --rqzD5py0kzyFAOWN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDBPcoForvXbEpPzQRAhW6AJ4i6/+bVVQuBc9X0Urf4Vss6LD5iACg4vn/ SDbweYDX/yAzxl0SIIlg/HY= =D3IQ -----END PGP SIGNATURE----- --rqzD5py0kzyFAOWN--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050818210128.GD18375>