[Bug 211602] route change command for ipv6 route with bad gateway leads to deadlock/panic

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Aug 5 15:38:10 UTC 2016


            Bug ID: 211602
           Summary: route change command for ipv6 route with bad gateway
                    leads to deadlock/panic
           Product: Base System
           Version: 11.0-BETA3
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: guyyur at gmail.com

When changing a route, rtrequest1_fib acquires a RIB_WLOCK.
If the ifa is not found, rtalloc1_fib might be called and it does a RIB_RLOCK.
This leads to a panic if INVARIANTS is in the kernel config or to a deadlock if

Example of bad gateway is forgetting the %IF when using a link local address.
# route add -inet6 default fe80::7
# route change -inet6 default fe80::7

Another example is changing when the route to the gateway was deleted.
# route add -inet6 2001:db8:0::/64 fe80::7%lo0
# route add -inet6 2001:db8:1::/64 2001:db8:0::1
# route delete -inet6 2001:db8:0::/64
# route change -inet6 2001:db8:1::/64 2001:db8:0::1

With 12.0-CURRENT r303766:
panic: rw_rlock: wlock already held for rib head lock @
cpuid = 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00de231220
vpanic() at vpanic+0x182/frame 0xfffffe00de2312a0
kassert_panic() at kassert_panic+0x126/frame 0xfffffe00de231310
__rw_rlock() at __rw_rlock+0x4a3/frame 0xfffffe00de2313b0
rtalloc1_fib() at rtalloc1_fib+0x86/frame 0xfffffe00de231470
ifa_ifwithroute() at ifa_ifwithroute+0x83/frame 0xfffffe00de2314b0
rt_getifa_fib() at rt_getifa_fib+0xe7/frame 0xfffffe00de2314d0
rtrequest1_fib() at rtrequest1_fib+0x596/frame 0xfffffe00de2315c0
route_output() at route_output+0x6ce/frame 0xfffffe00de2317c0
sosend_generic() at sosend_generic+0x436/frame 0xfffffe00de231880
soo_write() at soo_write+0x42/frame 0xfffffe00de2318b0
dofilewrite() at dofilewrite+0xa4/frame 0xfffffe00de231900
kern_writev() at kern_writev+0x68/frame 0xfffffe00de231950
sys_write() at sys_write+0x84/frame 0xfffffe00de2319a0
amd64_syscall() at amd64_syscall+0x2db/frame 0xfffffe00de231ab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe00de231ab0
--- syscall (4, FreeBSD ELF64, sys_write), rip = 0x800977b1a, rsp =
0x7fffffffe1b8, rbp = 0x7fffffffea80 ---
KDB: enter: panic
[ thread pid 609 tid 100106 ]
Stopped at      kdb_enter+0x3b: movq    $0,kdb_why

I restored RTF_RNH_LOCKED (removed in r293829) locally as a workaround to
notify rtalloc1_fib a lock is not needed until a better solution is found.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list