kern/116837: [tun] [panic] [patch] ifconfig tunX destroy: panic

Lucius Windschuh lwindschuh at googlemail.com
Sat Feb 21 06:10:02 PST 2009 

The following reply was made to PR kern/116837; it has been noted by GNATS.

From: Lucius Windschuh <lwindschuh at googlemail.com>
To: bug-followup at freebsd.org
Cc:  
Subject: Re: kern/116837: [tun] [panic] [patch] ifconfig tunX destroy: panic
Date: Sat, 21 Feb 2009 14:27:45 +0100

 This is a follow-up to PR kern/116837. The described issue is solved,
 but now we have this issue.
 The following simple steps lead to a kernel panic on my system (i386,
 SMP, 8-CURRENT from Feb. 18th):
 
 -->8--
 cat < /dev/tun0 > /dev/tun0 &
 ifconfig tun0 up
 ifconfig tun0 destroy & ifconfig tun0 destroy
 --8<--
 
 Panic string: Bad link elm 0xc6437c00 prev->next != elm
 
 Responsible backtraces:
 
 Tracing pid 1610 tid 100114 td 0xc686f240
 kdb_enter(c090abd7,c090abd7,c08e2418,eaefeb6c,0,...) at kdb_enter+0x3a
 panic(c08e2418,c6437c00,c091867f,d3,2d,...) at panic+0x136
 if_clone_destroyif(c0976300,c6437c00,c091867f,bf,0,...) at
 if_clone_destroyif+0x8a
 if_clone_destroy(c724f320,19c,eaefebd4,c0604976,c1494788,...) at
 if_clone_destroy+0xa2
 ifioctl(c7077dc8,80206979,c724f320,c686f240,80206979,...) at ifioctl+0x116
 soo_ioctl(c71deaf0,80206979,c724f320,c722a000,c686f240,...) at soo_ioctl+0x397
 kern_ioctl(c686f240,3,80206979,c724f320,64c3c0,...) at kern_ioctl+0x1dd
 ioctl(c686f240,eaefecf8,c,c,c09644b0,...) at ioctl+0x134
 syscall(eaefed38) at syscall+0x2a3
 Xint0x80_syscall() at Xint0x80_syscall+0x20
 
 Tracing command ifconfig pid 1611 tid 100194 td 0xc6c9b000
 sched_switch(c6c9b000,0,104,18d,5796c911,...) at sched_switch+0x437
 mi_switch(104,0,c090edc3,1d2,0,...) at mi_switch+0x200
 sleepq_switch(c6c9b000,0,c090edc3,247,c6c9b000,...) at sleepq_switch+0x15f
 sleepq_wait(c69aa850,0,c0918d9f,1,0,...) at sleepq_wait+0x63
 _cv_wait_unlock(c69aa850,c69aa83c,c0918d76,102,c69aa800,...) at
 _cv_wait_unlock+0x1d4
 tun_destroy(c09ca0d8,0,c0918d76,11c) at tun_destroy+0x49
 tun_clone_destroy(c6437c00,c6437c00,c6437c00,c0976300,eb04eb88,...) at
 tun_clone_destroy+0xb8
 ifc_simple_destroy(c0976300,c6437c00,c091867f,d5,2d,...) at
 ifc_simple_destroy+0x27
 if_clone_destroyif(c0976300,c6437c00,c091867f,bf,0,...) at
 if_clone_destroyif+0xe1
 if_clone_destroy(c677cb20,19c,eb04ebd4,c0604976,c1494788,...) at
 if_clone_destroy+0xa2
 ifioctl(c7257620,80206979,c677cb20,c6c9b000,80206979,...) at ifioctl+0x116
 soo_ioctl(c7285bd0,80206979,c677cb20,c722a000,c6c9b000,...) at soo_ioctl+0x397
 kern_ioctl(c6c9b000,3,80206979,c677cb20,64c3c0,...) at kern_ioctl+0x1dd
 ioctl(c6c9b000,eb04ecf8,c,c,c09644b0,...) at ioctl+0x134
 syscall(eb04ed38) at syscall+0x2a3
 Xint0x80_syscall() at Xint0x80_syscall+0x20
 --- syscall (54, FreeBSD ELF32, ioctl), eip = 0x281b4b83, esp =
 0xbfbfe47c, ebp = 0xbfbfe498 ---
 
 OK, it's odd to destroy an interface two times in parallel. But it
 shouldn't crash the kernel. ;-)
 
 This panic is triggered reliably.
 To rule out side effects of my kernel config, I ran the same test with
 the GENERIC config and got the same result: panic.
 
 The textdump is available here:
 http://sites.google.com/site/lwfreebsd/Home/files/tun0-double-destroy.zip?attredirects=0
 
 I can supply more information if needed.
 
 
 Kind regards,
 
 Lucius

More information about the freebsd-net mailing list