Bug #1919

panic on detroying tap device

Added by lentferj over 3 years ago. Updated over 3 years ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

When playing with vkernel and networking a encountered a panic when doing

ifconfig tap4 down
ifconfig tap4 destroy

The backtrace is below. Kernel dump is available (for own reference .12
files).

Jan

df386devel# kgdb kern.12 vmcore.12
GNU gdb (GDB) 7.0
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-dragonfly".
For bug reporting instructions, please see:
<http://bugs.dragonflybsd.org/&gt;...
Reading symbols from /var/crash/kern.12...done.

Unread portion of the kernel message buffer:
panic: if_clone_destroy: bit is already cleared
Trace beginning at frame 0xd74bbb14
panic(ffffffff) at panic+0xe8
panic(c05c08c0,c0582e91,4,d74bbc1c,cc650b68) at panic+0xe8
if_clone_destroy(d74bbc1c,c06f3420,cea12198,0,24) at if_clone_destroy+0x72
ifioctl(d4399500,80206979,d74bbc1c,cc650b68) at ifioctl+0x29c
soo_ioctl(cc6902c8,80206979,d74bbc1c,cc650b68,d74bbcf0) at soo_ioctl+0x126
mapped_ioctl(3,80206979,8102ee0,0,d74bbcf0) at mapped_ioctl+0x408
sys_ioctl(d74bbcf0,1cee,0,ce9dc4e0,282) at sys_ioctl+0x17
syscall2(d74bbd40) at syscall2+0x20e
Xint0x80_syscall() at Xint0x80_syscall+0x36
Uptime: 3d7h37m21s
Physical memory: 1015 MB
Dumping 350 MB: 335 319 303 287 271 255 239 223 207 191 175 159 143 127
111 95 79 63 (CTRL-C to abort) (CTRL-C to abort) 47 31 15

Reading symbols from /boot/kernel/acpi.ko...done.
Loaded symbols for /boot/kernel/acpi.ko
Reading symbols from /boot/kernel/ahci.ko...done.
Loaded symbols for /boot/kernel/ahci.ko
Reading symbols from /boot/kernel/ehci.ko...done.
Loaded symbols for /boot/kernel/ehci.ko
Reading symbols from /boot/kernel/vn.ko...done.
Loaded symbols for /boot/kernel/vn.ko
Reading symbols from /boot/kernel/pf.ko...done.
Loaded symbols for /boot/kernel/pf.ko
Reading symbols from /boot/kernel/if_bridge.ko...done.
Loaded symbols for /boot/kernel/if_bridge.ko
Reading symbols from /boot/kernel/if_tap.ko...done.
Loaded symbols for /boot/kernel/if_tap.ko
_get_mycpu (di=0xc06d63e0) at ./machine/thread.h:83
83 __asm ("movl %%fs:globaldata,%0" : "=r" (gd) :
"m"(__mycpu__dummy));
(kgdb) backtrace
#0 _get_mycpu (di=0xc06d63e0) at ./machine/thread.h:83
#1 md_dumpsys (di=0xc06d63e0)
at /home/lentferj/repo/src/sys/platform/pc32/i386/dump_machdep.c:263
#2 0xc03105c1 in dumpsys ()
at /home/lentferj/repo/src/sys/kern/kern_shutdown.c:881
#3 0xc0310b30 in boot (howto=260)
at /home/lentferj/repo/src/sys/kern/kern_shutdown.c:388
#4 0xc0310cb0 in panic (fmt=0xc05c08c0 "%s: bit is already cleared")
at /home/lentferj/repo/src/sys/kern/kern_shutdown.c:787
#5 0xc038a6f5 in if_clone_destroy (name=0xd74bbc1c "tap4")
at /home/lentferj/repo/src/sys/net/if_clone.c:158
#6 0xc038954b in ifioctl (so=0xd4399500, cmd=2149607801,
data=0xd74bbc1c "tap4", cred=0xcc650b68)
at /home/lentferj/repo/src/sys/net/if.c:1476
#7 0xc0338b92 in soo_ioctl (fp=0xcc6902c8, cmd=0, data=0xd74bbc1c "tap4",
cred=0xcc650b68, msg=0xd74bbcf0)
at /home/lentferj/repo/src/sys/kern/sys_socket.c:179
#8 0xc033461b in fo_ioctl (fd=3, com=2149607801,
uspc_data=0x8102ee0 <Address 0x8102ee0 out of bounds>, map=0x0,
msg=0xd74bbcf0) at /home/lentferj/repo/src/sys/sys/file2.h:88
#9 mapped_ioctl (fd=3, com=2149607801,
uspc_data=0x8102ee0 <Address 0x8102ee0 out of bounds>, map=0x0,
msg=0xd74bbcf0) at /home/lentferj/repo/src/sys/kern/sys_generic.c:737
---Type <return> to continue, or q <return> to quit---
---Type <return> to continue, or q <return> to quit---#10 0xc03346b8 in
sys_ioctl (uap=0xd74bbcf0)
at /home/lentferj/repo/src/sys/kern/sys_generic.c:556
#11 0xc0558448 in syscall2 (frame=0xd74bbd40)
at /home/lentferj/repo/src/sys/platform/pc32/i386/trap.c:1336
#12 0xc0547366 in Xint0x80_syscall ()
at /home/lentferj/repo/src/sys/platform/pc32/i386/exception.s:876
#13 0x0000001f in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(kgdb)

History

#1 Updated by sepherosa over 3 years ago

On Mon, Nov 22, 2010 at 12:56 AM, Jan Lentfer <> wrote:
> When playing with vkernel and networking a encountered a panic when doing
>
> ifconfig tap4 down
> ifconfig tap4 destroy

If the tap(4) is open(2)ed by vkernel, it should bypasses all cloning operation.

Your probably should add one more if_clone method besides
if_clone_creat/if_clone_destroy, like if_clone_iscloned, to fix all
pseudo devices, which support open(2) and if_clone. Then change code
in net/if_clone.c like following:

int
if_clone_destroy()
{
....

ifp = ifunit(name);
if (ifp == NULL)
return (ENXIO);

if (!ifc->ifc_iscloned(ifp))
return EOPNOTSUPP;

if (ifc->ifc_destroy == NULL)
return (EOPNOTSUPP);

....
}

BTW, after all these the TAP_CLONE test in tap_clone_destroy()
probably should be changed to assertion.

Best Regards,
sephe

Also available in: Atom PDF