Bug 211602 - route change command for ipv6 route with bad gateway leads to deadlock/panic
Summary: route change command for ipv6 route with bad gateway leads to deadlock/panic
Status: Closed DUPLICATE of bug 215122
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 11.0-BETA3
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-net (Nobody)
Depends on:
Reported: 2016-08-05 15:38 UTC by guyyur
Modified: 2016-12-24 13:18 UTC (History)
5 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description guyyur 2016-08-05 15:38:10 UTC
When changing a route, rtrequest1_fib acquires a RIB_WLOCK.
If the ifa is not found, rtalloc1_fib might be called and it does a RIB_RLOCK.
This leads to a panic if INVARIANTS is in the kernel config or to a deadlock if not.

Example of bad gateway is forgetting the %IF when using a link local address.
# route add -inet6 default fe80::7
# route change -inet6 default fe80::7

Another example is changing when the route to the gateway was deleted.
# route add -inet6 2001:db8:0::/64 fe80::7%lo0
# route add -inet6 2001:db8:1::/64 2001:db8:0::1
# route delete -inet6 2001:db8:0::/64
# route change -inet6 2001:db8:1::/64 2001:db8:0::1

With 12.0-CURRENT r303766:
panic: rw_rlock: wlock already held for rib head lock @ /usr/src/sys/net/route.c:457
cpuid = 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00de231220
vpanic() at vpanic+0x182/frame 0xfffffe00de2312a0
kassert_panic() at kassert_panic+0x126/frame 0xfffffe00de231310
__rw_rlock() at __rw_rlock+0x4a3/frame 0xfffffe00de2313b0
rtalloc1_fib() at rtalloc1_fib+0x86/frame 0xfffffe00de231470
ifa_ifwithroute() at ifa_ifwithroute+0x83/frame 0xfffffe00de2314b0
rt_getifa_fib() at rt_getifa_fib+0xe7/frame 0xfffffe00de2314d0
rtrequest1_fib() at rtrequest1_fib+0x596/frame 0xfffffe00de2315c0
route_output() at route_output+0x6ce/frame 0xfffffe00de2317c0
sosend_generic() at sosend_generic+0x436/frame 0xfffffe00de231880
soo_write() at soo_write+0x42/frame 0xfffffe00de2318b0
dofilewrite() at dofilewrite+0xa4/frame 0xfffffe00de231900
kern_writev() at kern_writev+0x68/frame 0xfffffe00de231950
sys_write() at sys_write+0x84/frame 0xfffffe00de2319a0
amd64_syscall() at amd64_syscall+0x2db/frame 0xfffffe00de231ab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe00de231ab0
--- syscall (4, FreeBSD ELF64, sys_write), rip = 0x800977b1a, rsp = 0x7fffffffe1b8, rbp = 0x7fffffffea80 ---
KDB: enter: panic
[ thread pid 609 tid 100106 ]
Stopped at      kdb_enter+0x3b: movq    $0,kdb_why

I restored RTF_RNH_LOCKED (removed in r293829) locally as a workaround to notify rtalloc1_fib a lock is not needed until a better solution is found.
Comment 1 guyyur 2016-12-24 13:18:00 UTC

*** This bug has been marked as a duplicate of bug 215122 ***