Destroying a jail with vnet networking and vlan interface causes kernel panic if ipfw_nat module is loaded. Tested on 10.3, 11-CURRENT. ## Steps to Reproduce: * Compile kernel with "options VIMAGE" * kldload ipfw_nat * jail -i -c name=test vnet persist * ifconfig epair create * ifconfig epair0b vnet test * jexec test ifconfig vlan create * jexec test ifconfig vlan0 192.168.100.2/24 vlandev epair0b vlan 10 * jail -r test ## Panic: Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x378 fault code = supervisor read data, page not present instruction pointer = 0X20:0xffffffff8069012d stack pointer = 0x28:0x0fffffe003d5b0520 frame pointer = 0x28:0x0fffffe003d5b05b0 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 983 (jail) trap number = 12 panic: page fault ## Stack trace: #8 0xffffffff80947c4d in __rw_wlock_hard (c=0xfffffe0001306218, tid=18446735277677514752, file=0x6 <Address 0x6 out of bounds>, line=0) at /usr/src/sys/kern/kern_rwlock.c:787 #9 0xffffffff80947a7a in _rw_wlock_cookie (c=<value optimized out>, file=0x0, line=6) at /usr/src/sys/kern/kern_rwlock.c:267 #10 0xffffffff81a17210 in ifaddr_change (arg=<value optimized out>, ifp=0xfffff80003d30000) at /usr/src/sys/modules/ipfw_nat/../../netpfil/ipfw/ip_fw_nat.c:68 #11 0xffffffff80a6faf6 in in_control (so=<value optimized out>, cmd=969435729749183252, data=<value optimized out>, ifp=0xfffff80003d30000, td=<value optimized out>) at /usr/src/sys/netinet/in.c:544 #12 0xffffffff80a09851 in if_purgeaddrs (ifp=0xfffff80003d30000) at /usr/src/sys/net/if.c:846 #13 0xffffffff80a09bc3 in if_detach_internal (ifp=0xfffff80003d30000, vmove=0, ifcp=<value optimized out>) at /usr/src/sys/net/if.c:947 #14 0xffffffff80a0999b in if_detach (ifp=0xfffffe0001306200) at /usr/src/sys/net/if.c:893 #15 0xffffffff80a183b3 in vlan_clone_destroy (ifc=0xfffff8000345a680, ifp=0xfffff80003d30000) at /usr/src/sys/net/if_vlan.c:1004 #16 0xffffffff80a10562 in if_clone_destroyif (ifc=0xfffff8000345a680, ifp=0xfffff80003d30000) at /usr/src/sys/net/if_clone.c:333 #17 0xffffffff80a10d08 in if_clone_detach (ifc=<value optimized out>) at /usr/src/sys/net/if_clone.c:457 #18 0xffffffff80a247e7 in vnet_sysuninit () at /usr/src/sys/net/vnet.c:594 #19 0xffffffff80a246f3 in vnet_destroy (vnet=0xfffff80003443180) at /usr/src/sys/net/vnet.c:291 #20 0xffffffff8091ad80 in prison_deref (pr=0xffffffff8149bd80, flags=<value optimized out>) at /usr/src/sys/kern/kern_jail.c:2649 #21 0xffffffff8091c9ae in sys_jail_remove (td=<value optimized out>, uap=<value optimized out>) at /usr/src/sys/kern/kern_jail.c:2315 #22 0xffffffff80d5d8b7 in amd64_syscall (td=0xfffff80003a29000, traced=0) at subr_syscall.c:134 #23 0xffffffff80d42f9b in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:396
I tried to reproduce this bug on current master and OS did't panic.