Panics with if_bridge(4)

From: Michal Mertl <mime_at_traveller.cz>
Date: Sat, 13 Aug 2005 12:44:26 +0200
I'm experiencing panics when configuring if_bridge interface on a debug
kernel with INVARIANTS.

This is how I trigger it (I've got custom kernel with everything I use
compiled statically into it):
# ifconfig bridge0 create

bridge0: bpf attached
bridge0: Ethernet address: ac:de:48:0c:22:8f

# ifconfig bridge0 192.168.0.2 addm ath0 addm fxp0

panic: mutex if_bridge not owned at ../../../net/bridgestp.c:899

#23 0xc05641aa in kdb_enter (msg=0x0) at cpufunc.h:60
#24 0xc054873c in panic (fmt=0xc06dcd5e "mutex %s not owned at %s:%d")
at ../../../kern/kern_shutdown.c:537
#25 0xc053f36f in _mtx_assert (m=0xc182310c, what=0, file=0xc06e6cc6
"../../../net/bridgestp.c", line=899) at ../../../kern/kern_mutex.c:739
#26 0xc05bc29d in bstp_stop (sc=0xc1823100)
at ../../../net/bridgestp.c:899
#27 0xc05bc0e4 in bstp_initialization (sc=0xc1823100)
at ../../../net/bridgestp.c:853
#28 0xc05c1b8d in bridge_init (xsc=0xc1823100)
at ../../../net/if_bridge.c:1218
#29 0xc05c669e in ether_ioctl (ifp=0xc1624000, command=0,
data=0xc18ec000 "ÄÀ\216ÁÔÀ\216ÁäÀ\216Á")
at ../../../net/if_ethersubr.c:1055
#30 0xc05c0de6 in bridge_ioctl (ifp=0xc1624000, cmd=2149607692,
data=0xc18ec000 "ÄÀ\216ÁÔÀ\216ÁäÀ\216Á") at ../../../net/if_bridge.c:615
#31 0xc05eac7e in in_ifinit (ifp=0xc1624000, ia=0xc18ec000, sin=0x0,
scrub=0) at ../../../netinet/in.c:711
#32 0xc05ea1e1 in in_control (so=0x0, cmd=1, data=0xc18212c0 "bridge0",
ifp=0xc1624000, td=0xc15a4480) at ../../../netinet/in.c:435
#33 0xc05bf537 in ifioctl (so=0xc17616f4, cmd=2151704858,
data=0xc18212c0 "bridge0", td=0xc15a4480) at ../../../net/if.c:1592
#34 0xc05790c8 in soo_ioctl (fp=0x0, cmd=2151704858, data=0xc18212c0,
active_cred=0xc14fcd80, td=0xc15a4480) at ../../../kern/sys_socket.c:214
#35 0xc0572650 in ioctl (td=0xc15a4480, uap=0xcc95ad04) at file.h:258
#36 0xc06a5811 in syscall (frame=
      {tf_fs = -1078001605, tf_es = 59, tf_ds = -1078001605, tf_edi =
134577024, tf_esi = 0, tf_ebp = -1077940680, tf_isp = -862605980, tf_ebx
= 1, tf_edx = 134588672, tf_ecx = 0, tf_eax = 54, tf_trapno = 12, tf_err
= 2, tf_eip = 672419903, tf_cs = 51, tf_eflags = 582, tf_esp =
-1077942836, tf_ss = 59}) at ../../../i386/i386/trap.c:986
#37 0xc069387f in Xint0x80_syscall ()
at ../../../i386/i386/exception.s:200


I noticed that the panic doesn't happen when I configure the interface
differently as hinted in the manual page (addm fxp0 addm ath0 up).

The if_bridge also causes crashes after ifconfig destroy with "memory
modified after free" messages - it seems if_bridge doesn't clean up
after itself completely.

I also had one hangup with if_bridge - I configure the bridge0 interface
with ifconfig bridge0 addm fxp0 addm ath0 up;ifconfig bridge0
10.0.0.1/24. A minute later I trhought I'd try STP (although no other
device here speaks it) and did ifconfig bridge0 stp fxp0;ifconfig
bridge0 stp ath0. Several seconds later I saw something like "pfil
m_pullup failed" and the machine was frozen. I can't reproduce this one
though.

I've got several coredumps, both from the INVARIANTS panic and from
memory modified after free one.

I'm missing a way to list the table of mac addresses learned behind an
interface. What good is ioctl to delete an address from the list if one
can't see the list? I think I should be able to write it - I did
something pretty similar for wlan_acl (which has similar issues on
unload but Sam Leffler knows about it and knows how to fix it).

Please tell me if I can provide any more information.

Michal
Received on Sat Aug 13 2005 - 08:44:33 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:41 UTC