Bug 246819 - Kernel panic with ifconfig destroy
Summary: Kernel panic with ifconfig destroy
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-net (Nobody)
URL:
Keywords: crash
Depends on:
Blocks:
 
Reported: 2020-05-28 19:21 UTC by Ashish Gupta
Modified: 2023-01-17 02:31 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ashish Gupta 2020-05-28 19:21:27 UTC 
$ uname -a 
FreeBSD somebox 13.0-CURRENT FreeBSD 13.0-CURRENT #0 r361562M: Wed May 27 19:54:22 EDT 2020     user@somebox:/usr/obj/usr/src2/amd64.amd64/sys/MYKERN  amd64

Steps to reproduce:

# Create a wlan interface with ifconfig:
ifconfig wlan7 create wlandev run0
ifconfig wlan7 inet6 ifdisabled
ifconfig wlan7 mode 11ng channel 9 -ampdutx -ampdurx
ifconfig wlan7 inet6 -ifdisabled
ifconfig wlan7 inet6 accept_rtadv
ifconfig wlan7 inet6 accept_rtadv up

# Do some activity on the network (open a website?)

# destroy the wlan interface
ifconfig wlan7 destroy

# kernal panics!


Unread portion of the kernel message buffer from crash report:

__curthread () at /usr/src2/sys/amd64/include/pcpu_aux.h:55
55      /usr/src2/sys/amd64/include/pcpu_aux.h: No such file or directory.
(kgdb) #0  __curthread () at /usr/src2/sys/amd64/include/pcpu_aux.h:55
#1  doadump (textdump=1) at /usr/src2/sys/kern/kern_shutdown.c:394
#2  0xffffffff80ac1670 in kern_reboot (howto=260)
    at /usr/src2/sys/kern/kern_shutdown.c:481
#3  0xffffffff80ac1aca in vpanic (fmt=<optimized out>, ap=<optimized out>)
    at /usr/src2/sys/kern/kern_shutdown.c:913
#4  0xffffffff80ac1823 in panic (fmt=<unavailable>)
    at /usr/src2/sys/kern/kern_shutdown.c:839
#5  0xffffffff80f29a67 in trap_fatal (frame=0xfffffe001d742400, eva=0)
    at /usr/src2/sys/amd64/amd64/trap.c:919
#6  0xffffffff80f29b09 in trap_pfault (frame=0xfffffe001d742400, 
    usermode=<optimized out>, signo=<optimized out>, ucode=<optimized out>)
    at /usr/src2/sys/amd64/amd64/trap.c:736
#7  0xffffffff80f29105 in trap (frame=0xfffffe001d742400)
    at /usr/src2/sys/amd64/amd64/trap.c:400
#8  <signal handler called>
#9  0xffffffff80ce307d in ip6_output (m0=<optimized out>, 
    opt=<optimized out>, ro=<optimized out>, flags=0, im6o=0x0, ifpp=0x0, 
    inp=0xfffff801ea6b8b70) at /usr/src2/sys/netinet6/ip6_output.c:790
#10 0xffffffff80ca829c in tcp_output (tp=0xfffffe00b1dd2850)
    at /usr/src2/sys/netinet/tcp_output.c:1420
#11 0xffffffff80cae5f1 in tcp_drop (tp=0xfffffe00b1dd2850, errno=60)
    at /usr/src2/sys/netinet/tcp_subr.c:1882
#12 0xffffffff80cb6bf6 in tcp_timer_keep (xtp=0xfffffe00b1dd2850)
    at /usr/src2/sys/netinet/tcp_timer.c:506
#13 0xffffffff80add28f in softclock_call_cc (c=0xfffffe00b1dd2b48, 
    cc=0xffffffff81a97a40 <cc_cpu>, direct=0)
    at /usr/src2/sys/kern/kern_timeout.c:703
#14 0xffffffff80add64b in softclock (arg=0xffffffff81a97a40 <cc_cpu>)
    at /usr/src2/sys/kern/kern_timeout.c:823
#15 0xffffffff80a81ff9 in intr_event_execute_handlers (p=<optimized out>, 
    ie=0xfffff800037a4e00) at /usr/src2/sys/kern/kern_intr.c:1153
#16 ithread_execute_handlers (p=<optimized out>, ie=0xfffff800037a4e00)
    at /usr/src2/sys/kern/kern_intr.c:1166
#17 ithread_loop (arg=<optimized out>) at /usr/src2/sys/kern/kern_intr.c:1254
#18 0xffffffff80a7eb40 in fork_exit (
    callout=0xffffffff80a81d80 <ithread_loop>, arg=0xfffff80003775280, 
    frame=0xfffffe001d742b00) at /usr/src2/sys/kern/kern_fork.c:1053
#19 <signal handler called>
(kgdb)
Comment 1 Andrey V. Elsukov freebsd_committer freebsd_triage 2020-05-29 13:02:40 UTC 
Can you show the full panic message from the report? It starts with "Fatal trap 12: page fault while in kernel mode".
Comment 2 Ashish Gupta 2020-06-14 22:38:00 UTC 
(In reply to Andrey V. Elsukov from comment #1)

Fatal trap 12: page fault while in kernel mode                                                                                                                                                                                                 
cpuid = 0; apic id = 00                                                                                                                                                                                                                        
fault virtual address   = 0x0                                                                                                                                                                                                                  
fault code              = supervisor read data, page not present                                                                                                                                                                               
instruction pointer     = 0x20:0xffffffff80ce307d                                                                                                                                                                                              
stack pointer           = 0x28:0xfffffe001d7424c0                                                                                                                                                                                              
frame pointer           = 0x28:0xfffffe001d742710                                                                                                                                                                                              
code segment            = base rx0, limit 0xfffff, type 0x1b                                                                                                                                                                                   
                        = DPL 0, pres 1, long 1, def32 0, gran 1                                                                                                                                                                               
processor eflags        = interrupt enabled, resume, IOPL = 0                                                                                                                                                                                  
current process         = 12 (swi4: clock (0))                                                                                                                                                                                                 
trap number             = 12      

--
Is this all the info you needed?
Comment 3 Mark Johnston freebsd_committer freebsd_triage 2020-06-19 17:49:07 UTC 
(In reply to Ashish Gupta from comment #2)
Looks like we are panicking because the counters in the in6_ifstat block are freed.  In particular, the panic happens while executing:

 790                 in6_ifstat_inc(ifp, ifs6_out_request);

which expands to

545 #define in6_ifstat_inc(ifp, tag) \                                                                                                                        
546 do {                                                            \                                                                                         
547         if (ifp)                                                \                                                                                         
548                 counter_u64_add(((struct in6_ifextra *)         \                                                                                         
549                     ((ifp)->if_afdata[AF_INET6]))->in6_ifstat[  \                                                                                         
550                     offsetof(struct in6_ifstat, tag) / sizeof(uint64_t)], 1);\                                                                            
551 } while (/*CONSTCOND*/ 0)

and the fault address is 0, so it shouldn't be from the if_afdata dereference or the in6_ifstat dereference (since ifs6_out_request is not the first counter in the block).

So the interface is already destroyed, but we are sending TCP keepalives through it.
Comment 4 Zhenlei Huang freebsd_committer freebsd_triage 2023-01-17 02:31:40 UTC 
Does it still happen on stable/13 or current/14 ?