Date: Thu, 12 Apr 2007 13:07:07 +1200 From: Andrew Thompson <thompsa@freebsd.org> To: freebsd-net@freebsd.org Subject: ipv6 multicast refcnt panic Message-ID: <20070412010707.GC9390@heff.fud.org.nz>
next in thread | raw e-mail | index | archive | help
Hi,
I have come across this panic which appears to be from incorrect
refcounting on the inet6 multicast code.
[root@dev7a]# ifconfig edsc0 create
[root@dev7a]# ifconfig edsc0 inet6 f00f::01
[root@dev7a]# ifconfig edsc0 destroy
Everything is ok...
[root@dev7a]# ifconfig edsc0 create
[root@dev7a]# ifconfig edsc0 inet6 f00f::01
[root@dev7a]# ifconfig edsc0 inet6 f00f::01
[root@dev7a]# ifconfig edsc0 destroy
panic: if_freemulti: protospec not NULL
cpuid = 0
KDB: enter: panic
[thread pid 992 tid 100060 ]
Stopped at breakpoint+0x4: leave
db> tr
Tracing pid 992 tid 100060 td 0xc25b6360
breakpoint(cd0faac4,c07689ae,c0a74962,0,0,...) at breakpoint+0x4
kdb_enter(c0a74962) at kdb_enter+0x30
panic(c0a84679,cd0faae4,c0800fc1,c2310e00,c25b6360,...) at panic+0x13e
if_freemulti(c2310e00) at if_freemulti+0x2f
if_delmulti_locked(c21fa400,c2310e00,1) at if_delmulti_locked+0x1e1
if_purgemaddrs(c21fa400) at if_purgemaddrs+0x4b
if_detach(c21fa400) at if_detach+0x142
ether_ifdetach(c21fa400,8056670,bfbfee3b,cd0fab6c,c080261e,...) at ether_ifdetach+0x42
edsc_clone_destroy(c21fa400) at edsc_clone_destroy+0x10
ifc_simple_destroy(c26a5c20,c21fa400) at ifc_simple_destroy+0x36
if_clone_destroyif(c26a5c20,c21fa400) at if_clone_destroyif+0xf7
if_clone_destroy(c23b25c0) at if_clone_destroy+0xa4
ifioctl(c25b115c,80206979,c23b25c0,c25b6360) at ifioctl+0x111
soo_ioctl(c240f7e0,80206979,c23b25c0,c2697380,c25b6360) at soo_ioctl+0x3d5
fo_ioctl(c240f7e0,80206979,c23b25c0,c2697380,c25b6360) at fo_ioctl+0x1d
kern_ioctl(c25b6360,3,80206979,c23b25c0) at kern_ioctl+0x22f
ioctl(c25b6360,cd0facec) at ioctl+0x124
syscall(cd0fad38) at syscall+0x2b4
Xint0x80_syscall() at Xint0x80_syscall+0x20
(kgdb) frame 13
#13 0xc08007bb in if_freemulti (ifma=0xc2310e00) at /usr/src/sys/net/if.c:2256
2256 KASSERT(ifma->ifma_protospec == NULL,
(kgdb) p *ifma
$3 = {ifma_link = {tqe_next = 0xc23b2460, tqe_prev = 0xc21fa4bc},
ifma_addr = 0xc23b2200, ifma_lladdr = 0xc26d55c0, ifma_ifp = 0x0,
ifma_refcount = 0, ifma_protospec = 0xc26d5580, ifma_llifma = 0xc23b2a20}
(kgdb) p *(struct in6_multi *)ifma->ifma_protospec
$4 = {in6m_entry = {le_next = 0xc26d5680, le_prev = 0xc0be44cc}, in6m_addr = {
__u6_addr = {__u6_addr8 = "ÿ\001\000\a", '\0' <repeats 11 times>, "\001",
__u6_addr16 = {511, 1792, 0, 0, 0, 0, 0, 256}, __u6_addr32 = {117441023,
0, 0, 16777216}}}, in6m_ifp = 0xc21fa400, in6m_ifma = 0xc2310e00,
in6m_refcount = 1, in6m_state = 0, in6m_timer = 0, in6m_timer_expire = {
tv_sec = 0, tv_usec = 0}, in6m_timer_ch = 0xc23b2320}
in6m_refcount is still 1 so the in6_multi is not freed.
Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070412010707.GC9390>