RE: panic after dhclient in sys/net/if.c mtx_lock

From: Li, Qing <qing.li_at_bluecoat.com>
Date: Sun, 17 May 2009 09:56:55 -0700
Hi,

This is a known issue and is being actively investigated.
There are 2 known crash instances related to this issue.

As a workaround, include "VIMAGE_GLOBALS" in your kernel
config file will resolve this issue (assuming you are
not using VIMAGE).

The problem is the V_loif interface pointer is reinitialized
to another ifnet that is different from what V_loif is
set to in "lo_clone_create()".

-- Qing


-----Original Message-----
From: owner-freebsd-current_at_freebsd.org on behalf of Norikatsu Shigemura
Sent: Sun 5/17/2009 4:00 AM
To: freebsd-current_at_freebsd.org
Cc: Norikatsu Shigemura
Subject: panic after dhclient in sys/net/if.c mtx_lock
 
Hi.

	I got a panic after dhclient like following:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<118>re0: no link ...
<118>.
<118> got link
<118>DHCPREQUEST on re0 to 255.255.255.255 port 67
<118>
<118>DHCPREQUEST on re0 to 255.255.255.255 port 67
<118>
<118>DHCPREQUEST on re0 to 255.255.255.255 port 67
<118>
<118>DHCPACK from 192.168.36.1
<118>


Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x288
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff802bb31e
stack pointer           = 0x28:0xffffff80ec9167e0
frame pointer           = 0x28:0xffffff80ec916800
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 542 (ifconfig)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	According to backtrace, I got following list:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(kgdb) bt
#0  doadump () at pcpu.h:223
#1  0xffffffff8019306c in db_fncall (dummy1=Variable "dummy1" is not available.
) at /usr/src/sys/ddb/db_command.c:548
#2  0xffffffff801933a1 in db_command (last_cmdp=0xffffffff8070c9a0, cmd_table=Variable "cmd_table" is not available.
)
    at /usr/src/sys/ddb/db_command.c:445
#3  0xffffffff801935f0 in db_command_loop () at /usr/src/sys/ddb/db_command.c:498
#4  0xffffffff80195599 in db_trap (type=Variable "type" is not available.
) at /usr/src/sys/ddb/db_main.c:229
#5  0xffffffff802f9000 in kdb_trap (type=12, code=0, tf=0xffffff80ec916730)
    at /usr/src/sys/kern/subr_kdb.c:534
#6  0xffffffff8049e29d in trap_fatal (frame=0xffffff80ec916730, eva=Variable "eva" is not available.
)
    at /usr/src/sys/amd64/amd64/trap.c:847
#7  0xffffffff8049e674 in trap_pfault (frame=0xffffff80ec916730, usermode=0)
    at /usr/src/sys/amd64/amd64/trap.c:768
#8  0xffffffff8049f0bf in trap (frame=0xffffff80ec916730)
    at /usr/src/sys/amd64/amd64/trap.c:494
#9  0xffffffff80478d33 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:223
#10 0xffffffff802bb31e in _mtx_lock_sleep (m=0xffffff00050cae20, 
    tid=18446742974297508528, opts=Variable "opts" is not available.
) at /usr/src/sys/kern/kern_mutex.c:340
#11 0xffffffff8036f4ad in ifaof_ifpforaddr (addr=0xffffffff806e4800, 
    ifp=0xffffff00050caa00) at /usr/src/sys/net/if.c:1541
#12 0xffffffff8037b4d8 in rt_getifa_fib (info=0xffffff80ec9168d0, fibnum=0)
    at /usr/src/sys/net/route.c:745
#13 0xffffffff8037bc8d in rtrequest1_fib (req=Variable "req" is not available.
) at /usr/src/sys/net/route.c:1025
#14 0xffffffff8038650d in in_ifinit (ifp=Variable "ifp" is not available.
) at /usr/src/sys/netinet/in.c:921
#15 0xffffffff80387aeb in in_control (so=Variable "so" is not available.
) at /usr/src/sys/netinet/in.c:547
#16 0xffffffff80372d91 in ifioctl (so=0xffffff0005fa5510, cmd=2151704858, 
    data=0xffffff000576bcc0 "re0", td=0xffffff0005ef8ab0) at /usr/src/sys/net/if.c:2226
#17 0xffffffff80307c1f in kern_ioctl (td=0xffffff0005ef8ab0, fd=Variable "fd" is not available.
) at file.h:262
#18 0xffffffff80307e51 in ioctl (td=0xffffff0005ef8ab0, uap=0xffffff80ec916c00)
    at /usr/src/sys/kern/sys_generic.c:677
#19 0xffffffff8049e8e7 in syscall (frame=0xffffff80ec916c90)
    at /usr/src/sys/amd64/amd64/trap.c:984
#20 0xffffffff80478fc0 in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:364
#21 0x0000000800a6d19c in ?? ()
Previous frame inner to this frame (corrupt stack?)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	So, I up 10 and print 'v' value:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(kgdb) up 10
#10 0xffffffff802bb31e in _mtx_lock_sleep (m=0xffffff00050cae20, 
    tid=18446742974297508528, opts=Variable "opts" is not available.
) at /usr/src/sys/kern/kern_mutex.c:340
340                             owner = (struct thread *)(v & ~MTX_FLAGMASK);
(kgdb) p v
$1 = 0
(kgdb) p m
$2 = (struct mtx *) 0xffffff00050cae20
(kgdb) p *m
$3 = {lock_object = {lo_name = 0x0, lo_flags = 0, lo_data = 0, lo_witness = 0x0}, 
  mtx_lock = 0}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	In this time, mtx_lock == NULL.

	So more up:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(kgdb) up
#11 0xffffffff8036f4ad in ifaof_ifpforaddr (addr=0xffffffff806e4800, 
    ifp=0xffffff00050caa00) at /usr/src/sys/net/if.c:1541
1541            IF_ADDR_LOCK(ifp);
(kgdb) p *ifp
$4 = {if_softc = 0xffffff00050caa90, if_l2com = 0x0, if_vnet = 0xffffffff80393b30, 
  if_link = {tqe_next = 0x0, tqe_prev = 0xffffffff80379700}, 
  if_xname = "\000\000\000\000\000\000\000\000:9\200", 
  if_dname = 0xffffffff80379f20 "UH\211H\211H\203 H\205H\211]L\211mH\211L\211eI\211u\025H\213]L\213eH\211L\213m?\001", if_dunit = 0, 
  if_refcount = 0, if_addrhead = {tqh_first = 0xffffffff803790a0, 
    tqh_last = 0xffffffff80378f50}, if_klist = {kl_list = {
      slh_first = 0xffffffff80393700}, kl_lock = 0, kl_unlock = 0xffffff0005f49b20, 
    kl_locked = 0x600ffdf, kl_lockarg = 0xffffff000516b180}, if_pcount = 0, 
  if_carp = 0x0, if_bpf = 0x0, if_index = 43664, if_timer = 1292, 
  if_vlantrunk = 0x6800020, if_flags = 4, if_capabilities = 0, if_capenable = 99916576, 
  if_linkmib = 0xffffff000b1c8350, if_linkmiblen = 0, if_data = {ifi_type = 80 'P', 
    ifi_physical = 131 '\203', ifi_addrlen = 28 '\034', ifi_hdrlen = 11 '\v', 
    ifi_link_state = 0 '\0', ifi_spare_char1 = 255 '', ifi_spare_char2 = 255 '', 
    ifi_datalen = 255 '', ifi_mtu = 100728799, ifi_metric = 18446742974283297180, 
    ifi_baudrate = 0, ifi_ipackets = 0, ifi_ierrors = 1, 
    ifi_opackets = 18446744071567800714, ifi_oerrors = 69926912, ifi_collisions = 0, 
    ifi_ibytes = 1, ifi_obytes = 0, ifi_imcasts = 0, ifi_omcasts = 0, ifi_iqdrops = 0, 
    ifi_noproto = 0, ifi_hwassist = 0, ifi_epoch = 0, ifi_lastchange = {tv_sec = 0, 
      tv_usec = 0}}, if_multiaddrs = {tqh_first = 0x0, tqh_last = 0x0}, if_amcount = 0, 
  if_output = 0, if_input = 0, if_start = 0, if_ioctl = 0, if_watchdog = 0, if_init = 0, 
  if_resolvemulti = 0, if_qflush = 0, if_transmit = 0, if_addr = 0x0, if_llsoftc = 0x0, 
  if_drv_flags = 0, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, 
    ifq_maxlen = 0, ifq_drops = 0, ifq_mtx = {lock_object = {lo_name = 0x0, 
        lo_flags = 84716688, lo_data = 4294967040, lo_witness = 0x0}, 
      mtx_lock = 18446744071565818672}, ifq_drv_head = 0x0, 
    ifq_drv_tail = 0xffffffff80379700, ifq_drv_len = 0, ifq_drv_maxlen = 0, 
    altq_type = -2143733008, altq_flags = -1, altq_disc = 0xffffffff80379f20, 
    altq_ifp = 0x0, altq_enqueue = 0xffffffff803790a0 <rn_walktree>, 
    altq_dequeue = 0xffffffff80378f50 <rn_walktree_from>, 
    altq_request = 0xffffffff80393700 <in_clsroute>, altq_clfier = 0x0, 
    altq_classify = 0xffffff0005f49be8, altq_tbr = 0x600ffdf, 
    altq_cdnr = 0xffffff000516b180}, if_broadcastaddr = 0x0, if_bridge = 0x0, 
  if_label = 0x0, if_prefixhead = {tqh_first = 0xffffff00050cac90, 
    tqh_last = 0x6800020}, if_afdata = {0x4, 0xffffff0005f49be8, 0xffffff000b1c8418, 
    0x0, 0xffffff000b1c8418, 0x600ffdf, 0xffffff000516b19c, 0x0, 0x0, 0x1, 
    0xffffffff8057798a, 0x42b0000, 0x0, 0xffffff0005ef8ab0, 0x0 <repeats 24 times>}, 
  if_afdata_initialized = 0, if_afdata_lock = {lock_object = {lo_name = 0x0, 
      lo_flags = 0, lo_data = 0, lo_witness = 0x0}, rw_lock = 0}, if_linktask = {
    ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0, 
    ta_context = 0x0}, if_addr_mtx = {lock_object = {lo_name = 0x0, lo_flags = 0, 
      lo_data = 0, lo_witness = 0x0}, mtx_lock = 0}, if_clones = {le_next = 0x0, 
    le_prev = 0x0}, if_groups = {tqh_first = 0x0, tqh_last = 0x0}, if_pf_kif = 0x0, 
  if_lagg = 0x0, if_alloctype = 0 '\0', if_cspare = "\000\000", if_pspare = {0x0, 0x0, 
---Type <return> to continue, or q <return> to quit---
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, if_ispare = {0, 0, 0, 0}}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	Sorry, I don't have any idea.  Is above report OK?
_______________________________________________
freebsd-current_at_freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
Received on Sun May 17 2009 - 15:08:15 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:47 UTC