Bug 222308

Summary: ip_multicast: Panic due to VNET being invalid on lagg during SIOCDELMULTI
Product: Base System Reporter: brent
Component: kernAssignee: Kubilay Kocak <koobs>
Status: Closed FIXED    
Severity: Affects Only Me CC: net, pstef, shurd
Priority: ---    
Version: 11.1-RELEASE   
Hardware: amd64   
OS: Any   
See Also: https://reviews.freebsd.org/D14969

Description brent 2017-09-13 19:07:14 UTC 
Issue is detailed in a patch to FreeNAS by Chris Torek, seen here: https://github.com/freenas/os/commit/34462da8e3b1089311dd4627953d558929cc04fc#diff-c9065ed6e74837c7cb1ded9eb39e7fb9

I believe this panic is currently affecting me on nas4free 11.1.0.4 which utilizes FreeBSD 11.1-RELEASE-P1

Copying his comments:

In in_leavegroup_locked(), when we're shedding a multicast
group, we may (or may not) delete it from an interface via
the igmp_change_state() call.  This is where we currently
set the multicast's vnet, and then restore the old vnet on
return.

However, a few lines later we use inm_release_locked() to
release the inet multicast data structure, and that in turn
may -- not necessarily will, only if the inm really is being
freed -- call if_delmulti_ifma(), which may -- not necessarily
will, again -- call the interface's SIOCDELMULTI ioctl
(if and only if there is an interface and this was the last
ref to this multicast address).

For (at least) the lagg interface, we still need the current
vnet to be valid during the SIOCDELMULTI.  So, don't restore
the old vnet until we've not only finished the IGMP code but
also inm_release_locked().
Comment 1 brent 2017-09-13 19:40:15 UTC 
I'll mention as well that Chris has two other fixes for issues in the in_mcast.c code that are worth looking at:

"Turning on multicast debug made multicast failure worse
because the strings and #define values no longer matched
up.  Fix them, and make sure they stay matched-up.":

https://github.com/freenas/os/commit/f768c70f166fb547bfa5559c934ddd41fe4dcc4e#diff-c9065ed6e74837c7cb1ded9eb39e7fb9

"During if_detach(), we get a race where a closing socket is
releasing multicast data (via inp_freemoptions()) at the same
time as igmp_ifdetach() is releasing all multicast data for
the interface, resulting in a potential double teardown and
double free. ...":

https://github.com/freenas/os/commit/83854288f897f0e886a2a6f17d2583081b8e25cb#diff-c9065ed6e74837c7cb1ded9eb39e7fb9
Comment 2 Piotr Pawel Stefaniak freebsd_committer freebsd_triage 2021-08-20 17:21:10 UTC 
This seems to have been fixed in r333175 and improved in r333309 (f3e1324b41e5 and b6f6f88018f3).
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2021-08-25 04:53:19 UTC 
^Triage: Resolve FIXED. If this is still an issue, please re-open with additional detail