kern/169236: [regression] [net] 8.3-STABLE panices on "ifconfig bridgeN destroy"

[Eugene Grosbein]

>Number:         169236
>Category:       kern
>Synopsis:       [regression] [net] 8.3-STABLE panices on "ifconfig bridgeN destroy"
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 19 09:40:15 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Eugene Grosbein
>Release:        FreeBSD 8.3-STABLE amd64
>Organization:
RDTC JSC
>Environment:
System: FreeBSD k-45-pc-1.sd.rdtc.ru 8.3-STABLE FreeBSD 8.3-STABLE #37: Wed Jun 13 12:25:17 NOVT 2012 root at k-45-pc-1.sd.rdtc.ru:/usr/local/obj/home/src/sys/PPPOE amd64

>Description:

	vlan2127 is created on lagg1 and added as member to bridge2127 (no other members).
	lagg1, vlan2127 and bridge2127 are UP.

	For 8.2-STABLE, the command "ifconfig bridge2127 destroy" works just fine.
	For 8.3-STABLE, it panices the kernel.

>How-To-Repeat:

	See above. Here is kgdb output for crashdump obtained after panic:

Script started on Tue Jun 19 16:25:19 2012
kgdb kernel /home/crash/k-45-pc-3/vmcore.0
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 02
fault virtual address	= 0x30
fault code		= supervisor write data, page not present
instruction pointer	= 0x20:0xffffffff803bb077
stack pointer	        = 0x28:0xffffff81254f4800
frame pointer	        = 0x28:0xffffff81254f4830
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 13897 (ifconfig)
trap number		= 12
panic: page fault
cpuid = 3
KDB: stack backtrace:
db_trace_self_wrapper() at 0xffffffff801adcca = db_trace_self_wrapper+0x2a
kdb_backtrace() at 0xffffffff803305d7 = kdb_backtrace+0x37
panic() at 0xffffffff802fd22e = panic+0x1ce
trap_fatal() at 0xffffffff804f3150 = trap_fatal+0x290
trap_pfault() at 0xffffffff804f34de = trap_pfault+0x23e
trap() at 0xffffffff804f39ae = trap+0x3ce
calltrap() at 0xffffffff804da774 = calltrap+0x8
--- trap 0xc, rip = 0xffffffff803bb077, rsp = 0xffffff81254f4800, rbp = 0xffffff81254f4830 ---
bridge_linkstate() at 0xffffffff803bb077 = bridge_linkstate+0x27
bridge_delete_member() at 0xffffffff803bb2f1 = bridge_delete_member+0x141
bridge_clone_destroy() at 0xffffffff803bdbaa = bridge_clone_destroy+0x6a
ifc_simple_destroy() at 0xffffffff803c03aa = ifc_simple_destroy+0x2a
if_clone_destroyif() at 0xffffffff803c05ad = if_clone_destroyif+0xbd
if_clone_destroy() at 0xffffffff803c095d = if_clone_destroy+0xcd
ifioctl() at 0xffffffff803b9329 = ifioctl+0x2c9
kern_ioctl() at 0xffffffff80341722 = kern_ioctl+0x102
ioctl() at 0xffffffff80341950 = ioctl+0xf0
amd64_syscall() at 0xffffffff804f2724 = amd64_syscall+0x1f4
Xfast_syscall() at 0xffffffff804daa6c = Xfast_syscall+0xfc
--- syscall (54, FreeBSD ELF64, ioctl), rip = 0x800a74c9c, rsp = 0x7fffffffe328, rbp = 0x7fffffffee34 ---
Uptime: 52s
Dumping 354 out of 4079 MB:..5%..14%..23%..32%..41%..55%..64%..73%..82%..91%

Reading symbols from /boot/kernel/ipmi.ko...done.
Loaded symbols for /boot/kernel/ipmi.ko
#0  doadump () at /home/src/sys/kern/kern_shutdown.c:268
268		if (textdump_pending)
(kgdb) bt
#0  doadump () at /home/src/sys/kern/kern_shutdown.c:268
#1  0xffffffff802fcd2a in boot (howto=260) at /home/src/sys/kern/kern_shutdown.c:448
#2  0xffffffff802fd207 in panic (fmt=0x1 <Address 0x1 out of bounds>) at /home/src/sys/kern/kern_shutdown.c:639
#3  0xffffffff804f3150 in trap_fatal (frame=0xc, eva=Variable "eva" is not available.
) at /home/src/sys/amd64/amd64/trap.c:848
#4  0xffffffff804f34de in trap_pfault (frame=0xffffff81254f4750, usermode=0) at /home/src/sys/amd64/amd64/trap.c:764
#5  0xffffffff804f39ae in trap (frame=0xffffff81254f4750) at /home/src/sys/amd64/amd64/trap.c:457
#6  0xffffffff804da774 in calltrap () at /home/src/sys/amd64/amd64/exception.S:228
#7  0xffffffff803bb077 in bridge_linkstate (ifp=0xffffff000576e960) at pcpu.h:224
#8  0xffffffff803bb2f1 in bridge_delete_member (sc=0xffffff01030ea000, bif=0xffffff0103143600, gone=0)
    at /home/src/sys/net/if_bridge.c:996
#9  0xffffffff803bdbaa in bridge_clone_destroy (ifp=0xffffff01030a3960) at /home/src/sys/net/if_bridge.c:675
#10 0xffffffff803c03aa in ifc_simple_destroy (ifc=0xffffffff806ee140, ifp=Variable "ifp" is not available.
) at /home/src/sys/net/if_clone.c:610
#11 0xffffffff803c05ad in if_clone_destroyif (ifc=0xffffffff806ee140, ifp=0xffffff01030a3960)
    at /home/src/sys/net/if_clone.c:269
#12 0xffffffff803c095d in if_clone_destroy (name=Variable "name" is not available.
) at /home/src/sys/net/if_clone.c:230
#13 0xffffffff803b9329 in ifioctl (so=0xffffff0015aac000, cmd=2149607801, data=0xffffff0103150340 "bridge2127", 
    td=0xffffff01037f4470) at /home/src/sys/net/if.c:2597
#14 0xffffffff80341722 in kern_ioctl (td=Variable "td" is not available.
) at file.h:275
#15 0xffffffff80341950 in ioctl (td=0xffffff01037f4470, uap=0xffffff81254f4bc0) at /home/src/sys/kern/sys_generic.c:679
#16 0xffffffff804f2724 in amd64_syscall (td=0xffffff01037f4470, traced=0) at subr_syscall.c:114
#17 0xffffffff804daa6c in Xfast_syscall () at /home/src/sys/amd64/amd64/exception.S:387
#18 0x0000000800a74c9c in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 7
#7  0xffffffff803bb077 in bridge_linkstate (ifp=0xffffff000576e960) at pcpu.h:224
224		__asm("movq %%gs:0,%0" : "=r" (td));
(kgdb) l
219	static __inline __pure2 struct thread *
220	__curthread(void)
221	{
222		struct thread *td;
223	
224		__asm("movq %%gs:0,%0" : "=r" (td));
225		return (td);
226	}
227	#define	curthread		(__curthread())
228	
(kgdb) frame 8
#8  0xffffffff803bb2f1 in bridge_delete_member (sc=0xffffff01030ea000, bif=0xffffff0103143600, gone=0)
    at /home/src/sys/net/if_bridge.c:996
996		bridge_linkstate(ifs);
(kgdb) l
991			}
992			/* reneable any interface capabilities */
993			bridge_set_ifcap(sc, bif, bif->bif_savedcaps);
994		}
995		bstp_destroy(&bif->bif_stp);	/* prepare to free */
996		bridge_linkstate(ifs);
997		BRIDGE_LOCK(sc);
998		free(bif, M_DEVBUF);
999	}
1000	
(kgdb) p *ifs
$1 = {if_softc = 0xffffff0103084280, if_l2com = 0xffffff0003f5d1d0, if_vnet = 0x0, if_link = {tqe_next = 0xffffff01030a3960, 
    tqe_prev = 0xffffff01031c7978}, if_xname = "vlan2127\000\000\000\000\000\000\000", if_dname = 0xffffffff8057613f "vlan", 
  if_dunit = 2127, if_refcount = 1, if_addrhead = {tqh_first = 0xffffff01031fa400, tqh_last = 0xffffff01031fa4b8}, 
  if_pcount = 0, if_carp = 0x0, if_bpf = 0xffffff0005744280, if_index = 271, if_timer = 0, if_vlantrunk = 0x0, 
  if_flags = 34819, if_capabilities = 259, if_capenable = 259, if_linkmib = 0xffffff0103084294, if_linkmiblen = 16, 
  if_data = {ifi_type = 135 '\207', ifi_physical = 0 '\0', ifi_addrlen = 6 '\006', ifi_hdrlen = 4 '\004', 
    ifi_link_state = 2 '\002', ifi_spare_char1 = 0 '\0', ifi_spare_char2 = 0 '\0', ifi_datalen = 152 '\230', ifi_mtu = 1500, 
    ifi_metric = 0, ifi_baudrate = 1000000000, ifi_ipackets = 4, ifi_ierrors = 0, ifi_opackets = 3, ifi_oerrors = 0, 
    ifi_collisions = 0, ifi_ibytes = 1368, ifi_obytes = 726, ifi_imcasts = 0, ifi_omcasts = 3, ifi_iqdrops = 0, 
    ifi_noproto = 0, ifi_hwassist = 102, ifi_epoch = 36, ifi_lastchange = {tv_sec = 1340097269, tv_usec = 174070}}, 
  if_multiaddrs = {tqh_first = 0x0, tqh_last = 0xffffff000576ea98}, if_amcount = 0, 
  if_output = 0xffffffff803c24d0 <ether_output>, if_input = 0xffffffff803c2150 <ether_input>, if_start = 0, 
  if_ioctl = 0xffffffff803caee0 <vlan_ioctl>, if_watchdog = 0, if_init = 0xffffffff803c94b0 <vlan_init>, 
  if_resolvemulti = 0xffffffff803c1840 <ether_resolvemulti>, if_qflush = 0xffffffff803c94c0 <vlan_qflush>, 
  if_transmit = 0xffffffff803caba0 <vlan_transmit>, if_reassign = 0, if_home_vnet = 0x0, if_addr = 0xffffff01031fa400, 
  if_llsoftc = 0x0, if_drv_flags = 64, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 10240, 
    ifq_drops = 0, ifq_mtx = {lock_object = {lo_name = 0xffffff000576e988 "vlan2127", lo_flags = 16973824, lo_data = 0, 
        lo_witness = 0x0}, mtx_lock = 4}, ifq_drv_head = 0x0, ifq_drv_tail = 0x0, ifq_drv_len = 0, ifq_drv_maxlen = 0, 
    altq_type = 0, altq_flags = 0, altq_disc = 0x0, altq_ifp = 0xffffff000576e960, altq_enqueue = 0, altq_dequeue = 0, 
    altq_request = 0, altq_clfier = 0x0, altq_classify = 0, altq_tbr = 0x0, altq_cdnr = 0x0}, 
  if_broadcastaddr = 0xffffffff80575380 "ÿÿÿÿÿÿ", if_bridge = 0x0, if_label = 0x0, if_prefixhead = {tqh_first = 0x0, 
    tqh_last = 0xffffff000576ebe0}, if_afdata = {0x0, 0x0, 0xffffff01030e7c60, 0x0 <repeats 25 times>, 0xffffff01030fac40, 
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, if_afdata_initialized = 2, if_afdata_lock = {lock_object = {
      lo_name = 0xffffffff805746ad "if_afdata", lo_flags = 69402624, lo_data = 0, lo_witness = 0x0}, rw_lock = 1}, 
  if_linktask = {ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, 
    ta_func = 0xffffffff803b4750 <do_link_state_change>, ta_context = 0xffffff000576e960}, if_addr_mtx = {lock_object = {
      lo_name = 0xffffffff805746a1 "if_addr_mtx", lo_flags = 16973824, lo_data = 0, lo_witness = 0x0}, mtx_lock = 4}, 
  if_clones = {le_next = 0xffffff01033404b0, le_prev = 0xffffffff806ef780}, if_groups = {tqh_first = 0xffffff010338bc80, 
    tqh_last = 0xffffff01030b7208}, if_pf_kif = 0x0, if_lagg = 0x0, if_alloctype = 6 '\006', if_cspare = "\000\000", 
  if_description = 0x0, if_pspare = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, if_ispare = {0, 0, 0}, if_fib = 0}
(kgdb) quit

Script done on Tue Jun 19 16:25:50 2012

>Fix:

	Unknown.


>Release-Note:
>Audit-Trail:
>Unformatted: