>Number: 155555
>Category: kern
>Synopsis: [patch] Panic in in_scrubprefix() during 'ifconfig delete'
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 14 16:10:15 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Andrew Boyer
>Release: current, 8.2
>Organization:
Avere Systems, Inc.
>Environment:
amd64
>Description:
The system can panic in in_scrubprefix() in sys/netinet/in.c during system
shutdown or anytime many addresses are being removed in parallel.
When a route is being reassigned to a new interface address, the ia is used
unlocked and unreferenced. If enough addresses are being torn down
simultaneously from the same subnet, the ia can be deleted while the modified
route is being set up.
The panic is on line 1184 in the rtinitflags() macro. This is the backtrace:
panic: general protection fault
cpuid = 6
KDB: stack backtrace:
gdb_trace_self_wrapper() at 0xffffffff803f68ba =
gdb_trace_self_wrapper+0x2a
panic() at 0xffffffff80459a52 = panic+0x182
trap_fatal() at 0xffffffff80672e0d = trap_fatal+0x2ad
trap() at 0xffffffff80673a80 = trap+0x160
calltrap() at 0xffffffff80658ace = calltrap+0x8
--- trap 0x9, rip = 0xffffffff80518c70,
rsp = 0xffffffffd119c900,
rbp = 0xffffffffd119c930 ---
in_ifscrub() at 0xffffffff80518c70 = in_ifscrub+0x100
in_control() at 0xffffffff8051a1a8 = in_control+0x808
ifioctl() at 0xffffffff804f4f0f = ifioctl+0x2af
kern_ioctl() at 0xffffffff80496013 = kern_ioctl+0xa3
ioctl() at 0xffffffff8049627a = ioctl+0xfa
syscall() at 0xffffffff80673460 = syscall+0x2c0
Xfast_syscall() at 0xffffffff80658cdb = Xfast_syscall+0xab
--- syscall (54, FreeBSD ELF64, ioctl),
rip = 0x800782a8c,
rsp = 0x7fffffffe618,
rbp = 0x7fffffffe680 ---
--- curthread 0xffffff000933f370, tid 100301
pid 6602 "ifconfig"
Stopping all network interfaces
In this case the ifconfig command was 'ifconfig e3c 169.254.6.15/16 delete'.
>How-To-Repeat:
Typing 'reboot' on a system running avahi-autoipd for zeroconf networking on
all (8+) interfaces leads to a panic approximately 2-3% of the time.
This is time-consuming to reproduce but the fix is straightforward (see patch
below).
It might be possible to reproduce just with killing and restarting
avahi-autoipd but I haven't tried it.
>Fix:
Patch attached with submission follows:
Index: sys/netinet/in.c
===================================================================
--- sys/netinet/in.c (revision 219641)
+++ sys/netinet/in.c (working copy)
@@ -1176,6 +1176,7 @@
if ((ia->ia_flags & IFA_ROUTE) == 0
&& (ia->ia_ifp->if_type != IFT_CARP)
) {
+ ifa_ref(&ia->ia_ifa);
IN_IFADDR_RUNLOCK();
rtinit(&(target->ia_ifa), (int)RTM_DELETE,
rtinitflags(target));
@@ -1185,6 +1186,7 @@
rtinitflags(ia) | RTF_UP);
if (error == 0)
ia->ia_flags |= IFA_ROUTE;
+ ifa_free(&ia->ia_ifa);
return (error);
}
}
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
