From owner-freebsd-net@FreeBSD.ORG Sat Apr 13 02:49:04 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0C3F87EC for ; Sat, 13 Apr 2013 02:49:04 +0000 (UTC) (envelope-from surajsandhu.bsd@gmail.com) Received: from mail-qc0-x243.google.com (mail-qc0-x243.google.com [IPv6:2607:f8b0:400d:c01::243]) by mx1.freebsd.org (Postfix) with ESMTP id C8B65A46 for ; Sat, 13 Apr 2013 02:49:03 +0000 (UTC) Received: by mail-qc0-f195.google.com with SMTP id e18so2509qch.2 for ; Fri, 12 Apr 2013 19:49:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=14EojoM8CiuQQIl0+TGjk/IOOFdgMpXbfYIn9p27m9E=; b=y9ICZ2KNbAoNZtwU3pbshjEcwX9BzDVfTtwexxx11T826/q9D7HVW1SPsHX3fhHti0 Z7QA8bmENHEJiOP1okRRM4Iy28Ng6W67lN+7Z9v/UkSlE6t7YNWaMVGkdvqc+Hu2zZPx RaZz2ln6CNXJXVmKnPS4elSPiAZNmLoMgLFCEtmmwzhif7gPBDaeRycDS6DZhjoQpTjE boxhyZ93u/XeL6uZYp/46RgJEoVHP2PNWy43LEbzzF8ACLzXQuyslRF5s9PYm6lSGx6T M1M++PrDhm9jWsr5MykJjflyOwTsPdFqqifb+Y1iIMLloS8IXp5rFapkPXHqassVVpRI ZEBg== MIME-Version: 1.0 X-Received: by 10.49.106.40 with SMTP id gr8mr14927007qeb.42.1365821343247; Fri, 12 Apr 2013 19:49:03 -0700 (PDT) Received: by 10.229.112.29 with HTTP; Fri, 12 Apr 2013 19:49:03 -0700 (PDT) Date: Fri, 12 Apr 2013 22:49:03 -0400 Message-ID: Subject: Race condition inside if_detach_internal() leads to a crash while running "jail -r" From: suraj sandhu To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Apr 2013 02:49:04 -0000 I am running FreeBsd 8.2 and hitting this panic: kdb_backtrace() at kdb_backtrace+0x3e panic() at panic+0x479 trap_fatal() at trap_fatal+0x4f4 trap() at trap+0x8fe calltrap() at calltrap+0x8 --- trap 0x9, rip = 0xffffffff80518f4d, rsp = 0xffffff805fa1d9e0, rbp = 0xffffff805fa1da30 --- raw_input() at raw_input+0x4d rts_input() at rts_input+0x70 netisr_process_workstream_proto() at netisr_process_workstream_proto+0x1ea swi_net() at swi_net+0xad intr_event_execute_handlers() at intr_event_execute_handlers+0x21c ithread_execute_handlers() at ithread_execute_handlers+0x73 ithread_loop() at ithread_loop+0x10f fork_exit() at fork_exit+0x180 fork_trampoline() at fork_trampoline+0xe --- trap 0, rip = 0, rsp = 0xffffff805fa1dd30, rbp = 0 --- Uptime: 20h23m27s I looked into the code and issue seems to be that in if_detach_internal(), if_down() is called which leads to netisr_queue() call in rt_dispatch() with an mbuf which has the interface being detached as rcvif, subsequently if_detach_internal() calls if_dead() on the interface. And, then at time of processing the work, this panic is seen since mbuf has a dead interface. Seems like the issue was reported on the virtualization mailing list earlier: http://lists.freebsd.org/pipermail/freebsd-virtualization/2012-April/000885.html I am looking for patch(es) to fix this issue. Thanks for any help. -Suraj Sandhu