Bug 211602

Summary: route change command for ipv6 route with bad gateway leads to deadlock/panic
Product: Base System Reporter: guyyur
Component: kernAssignee: freebsd-net (Nobody) <net>
Status: Closed DUPLICATE    
Severity: Affects Only Me CC: markj, melifaro, re, sbruno, vangyzen
Priority: ---    
Version: 11.0-BETA3   
Hardware: Any   
OS: Any   

Description guyyur 2016-08-05 15:38:10 UTC 
When changing a route, rtrequest1_fib acquires a RIB_WLOCK.
If the ifa is not found, rtalloc1_fib might be called and it does a RIB_RLOCK.
This leads to a panic if INVARIANTS is in the kernel config or to a deadlock if not.

Example of bad gateway is forgetting the %IF when using a link local address.
# route add -inet6 default fe80::7
# route change -inet6 default fe80::7

Another example is changing when the route to the gateway was deleted.
# route add -inet6 2001:db8:0::/64 fe80::7%lo0
# route add -inet6 2001:db8:1::/64 2001:db8:0::1
# route delete -inet6 2001:db8:0::/64
# route change -inet6 2001:db8:1::/64 2001:db8:0::1

With 12.0-CURRENT r303766:
panic: rw_rlock: wlock already held for rib head lock @ /usr/src/sys/net/route.c:457
cpuid = 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00de231220
vpanic() at vpanic+0x182/frame 0xfffffe00de2312a0
kassert_panic() at kassert_panic+0x126/frame 0xfffffe00de231310
__rw_rlock() at __rw_rlock+0x4a3/frame 0xfffffe00de2313b0
rtalloc1_fib() at rtalloc1_fib+0x86/frame 0xfffffe00de231470
ifa_ifwithroute() at ifa_ifwithroute+0x83/frame 0xfffffe00de2314b0
rt_getifa_fib() at rt_getifa_fib+0xe7/frame 0xfffffe00de2314d0
rtrequest1_fib() at rtrequest1_fib+0x596/frame 0xfffffe00de2315c0
route_output() at route_output+0x6ce/frame 0xfffffe00de2317c0
sosend_generic() at sosend_generic+0x436/frame 0xfffffe00de231880
soo_write() at soo_write+0x42/frame 0xfffffe00de2318b0
dofilewrite() at dofilewrite+0xa4/frame 0xfffffe00de231900
kern_writev() at kern_writev+0x68/frame 0xfffffe00de231950
sys_write() at sys_write+0x84/frame 0xfffffe00de2319a0
amd64_syscall() at amd64_syscall+0x2db/frame 0xfffffe00de231ab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe00de231ab0
--- syscall (4, FreeBSD ELF64, sys_write), rip = 0x800977b1a, rsp = 0x7fffffffe1b8, rbp = 0x7fffffffea80 ---
KDB: enter: panic
[ thread pid 609 tid 100106 ]
Stopped at      kdb_enter+0x3b: movq    $0,kdb_why


I restored RTF_RNH_LOCKED (removed in r293829) locally as a workaround to notify rtalloc1_fib a lock is not needed until a better solution is found.
https://github.com/guyyur/freebsd-src_patches/blob/master/route-change-bad-gateway-panic.patch
Comment 1 guyyur 2016-12-24 13:18:00 UTC 

*** This bug has been marked as a duplicate of bug 215122 ***