Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Aug 2010 15:56:51 +0000
From:      Nima Misaghian <nima_misa@hotmail.com>
To:        <freebsd-net@freebsd.org>
Subject:   Kernel panic from interface address list manipulation
Message-ID:  <COL117-W4767407C73774C4E24D1638D9C0@phx.gbl>
next in thread | raw e-mail | index | archive | help 






 I’ve been able to trivially
trigger a kernel panic while testing ifaddr list manipulation on –CURRENT (r
211427).  The hardware is a four-core i386
machine with em interfaces.

 

This is the test script I’ve
used to trigger the problem:

 

#!/bin/sh



addr_loop()

{

while true

do

        ifconfig em1 1.0.0.1/24

        ifconfig em1 -alias 1.0.0.1

done

}



addr_loop &

addr_loop &

 


With WITNESS and INVARIANTS the
panic happens immediately upon starting the script, with the following
backtrace:

 

panic: Bad link elm 0xd17aec00
prev->next != elm

 

#0  doadump () at pcpu.h:231

231     pcpu.h: No such file or directory.

        in pcpu.h

(kgdb) #0  doadump () at pcpu.h:231

#1  0xc088a4ef in boot (howto=260) at
/d2/head/sys/kern/kern_shutdown.c:416

#2  0xc088a7bb in panic (fmt=Variable
"fmt" is not available.

) at /d2/head/sys/kern/kern_shutdown.c:590

#3  0xc098caf8 in in_control (so=0xd30af4d4,
cmd=2151704858,

    data=0xd1923b80 "em1",
ifp=0xd1554800, td=0xd31262c0)

    at /d2/head/sys/netinet/in.c:602

#4  0xc0938869 in ifioctl (so=0xd30af4d4,
cmd=2151704858,

    data=0xd1923b80 "em1",
td=0xd31262c0) at /d2/head/sys/net/if.c:2469

#5  0xc08d7e6b in soo_ioctl (fp=0xd2540ce8,
cmd=2151704858, data=0xd1923b80,

    active_cred=0xd2594900, td=0xd31262c0)

    at /d2/head/sys/kern/sys_socket.c:212

#6  0xc08d2075 in kern_ioctl (td=0xd31262c0,
fd=3, com=2151704858,

    data=0xd1923b80 "em1") at
file.h:254

#7  0xc08d21e2 in ioctl (td=0xd31262c0,
uap=0xf3a2ecec)

    at /d2/head/sys/kern/sys_generic.c:678

#8  0xc08c77d8 in syscallenter (td=0xd31262c0,
sa=0xf3a2ece4)

    at /d2/head/sys/kern/subr_trap.c:319

#9  0xc0bb18f3 in syscall (frame=0xf3a2ed28)

    at /d2/head/sys/i386/i386/trap.c:1060

#10 0xc0b9a231 in
Xint0x80_syscall ()

    at /d2/head/sys/i386/i386/exception.s:264

#11 0x00000033 in ?? ()

Previous frame inner to this
frame (corrupt stack?)

(kgdb)

 

I’ve also reproduced it without
WITNESS and INVARIANTS, but it seems to need additional copies of the script
running simultaneously and still takes longer to panic.  I’ve produced
several different backtraces from the non-debugging kernel.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?COL117-W4767407C73774C4E24D1638D9C0>