[Bug 225438] panic in6_unlink_ifa() due to race

bugzilla-noreply Wed, 24 Jan 2018 14:41:08 -0800

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225438


            Bug ID: 225438
           Summary: panic in6_unlink_ifa() due to race
           Product: Base System
           Version: 11.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: da...@spectralogic.com

The following silly test case exposes a race in in6_unlink_ifa()
that panics because the second thread into in6_unlink_ifa() attempts
to remove the remove the address from &ifp->if_addrhead that the
first thread has already removed and freed:

while :
do
        /etc/rc.d/netif restart igb1 &
        /etc/rc.d/netif restart igb1 &
        wait
        sleep 5
done

-----------------------------------------
The panic thread:

Unread portion of the kernel message buffer:
panic: Bad link elm 0xfffff815570d7400 next->prev != elm

Thread 1455 (Thread 102370):
(struct thread *)0xfffff811a0e49000, tid 102370
   ifconfig :: (struct proc *)0xfffff815570d6000, pid 5784
   args: /sbin/ifconfig igb1 inet6 fe80::225:90ff:fec9:a5fd -alias

#11 0xffffffff804bf103 in panic (fmt=<value optimized out>) at
sys/kern/kern_shutdown.c:690
#12 0xffffffff8067e6f4 in in6_unlink_ifa (ia=0xfffff815570d7400,
ifp=0xfffff8012150f800) at sys/netinet6/in6.c:1292
#13 0xffffffff8067c30b in in6_control (so=<value optimized out>, cmd=<value
optimized out>, data=<value optimized out>, ifp=<value optimized out>,
td=<value optimized out>) at sys/netinet6/in6.c:699
#14 0xffffffff805aef80 in ifioctl (so=<value optimized out>, cmd=2166384921,
data=0xfffff80158647c00 "igb1", td=0xfffff811a0e49000) at sys/net/if.c:2859
#15 0xffffffff80524ab4 in kern_ioctl (td=<value optimized out>, fd=<value
optimized out>, com=<value optimized out>, data=<value optimized out>) at
file.h:323
#16 0xffffffff8052476e in sys_ioctl (td=0xfffff811a0e49000,
uap=0xfffffe1b8e3afa30) at sys/kern/sys_generic.c:745

(kgdb) frame 12
#12 0xffffffff8067e6f4 in in6_unlink_ifa (ia=0xfffff815570d7400,
ifp=0xfffff8012150f800) at sys/netinet6/in6.c:1292

1292            TAILQ_REMOVE(&ifp->if_addrhead, &ia->ia_ifa, ifa_link);

Note:
In order to clearly show the where the panic occured, I wraped
in6_unlink_ifa() in #pragma  clang optimize off/on.
Without this the offending frame (#12) looks like:

#12 0xffffffff8067edba in in6_unlink_ifa (ia=0xfffff819e5dd5200, ifp=<value
optimized out>) at fnv_hash.h:29

-----------------------------------------
The thread that removed the address:

Thread 1456 (Thread 101967):
(struct thread *)0xfffff81557641000, tid 101967
   ifconfig :: (struct proc *)0xfffff81557595000, pid 5785
   args: /sbin/ifconfig igb1 inet6 fe80::225:90ff:fec9:a5fd -alias

#2  0xffffffff8078425a in trap (frame=0xfffffe1a5ddf1f30) at
sys/amd64/amd64/trap.c:185
#3  0xffffffff80768863 in nmi_calltrap () at sys/amd64/amd64/exception.S:510
#4  0xffffffff80510032 in smp_rendezvous_cpus (map={__bits =
0xfffffe1b8e6ce580}, setup_func=0xffffffff8050fe80 <smp_no_rendevous_barrier>,
action_func=<value optimized out>, teardown_func=<value optimized out>,
arg=<value optimized out>) at cpufunc.h:339
#5  0xffffffff804b98ae in _rm_wlock (rm=0xffffffff80eeeac0) at
sys/kern/kern_rmlock.c:558
#6  0xffffffff804b9b14 in _rm_wlock_debug (rm=0xffffffff80eeeac0,
file=0xffffffff80895d8d "sys/netinet6/in6.c", line=1301) at
sys/kern/kern_rmlock.c:610
#7  0xffffffff8067e7ae in in6_unlink_ifa (ia=0xfffff815570d7400,
ifp=0xfffff8012150f800) at sys/netinet6/in6.c:1301
#8  0xffffffff8067c30b in in6_control (so=<value optimized out>, cmd=<value
optimized out>, data=<value optimized out>, ifp=<value optimized out>,
td=<value optimized out>) at sys/netinet6/in6.c:699
#9  0xffffffff805aef80 in ifioctl (so=<value optimized out>, cmd=2166384921,
data=0xfffff81557272200 "igb1", td=0xfffff81557641000) at sys/net/if.c:2859
#10 0xffffffff80524ab4 in kern_ioctl (td=<value optimized out>, fd=<value
optimized out>, com=<value optimized out>, data=<value optimized out>) at
file.h:323
#11 0xffffffff8052476e in sys_ioctl (td=0xfffff81557641000,
uap=0xfffffe1b8e6cea30) at sys/kern/sys_generic.c:745

(kgdb) frame 7
#7  0xffffffff8067e7ae in in6_unlink_ifa (ia=0xfffff815570d7400,
ifp=0xfffff8012150f800) at sys/netinet6/in6.c:1301
1301            IN6_IFADDR_WLOCK();

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 225438] panic in6_unlink_ifa() due to race

Reply via email to