panic: assertion: _ifac->ifa_magic == IFA_CONTAINER_MAGIC in _IFAFREE
Matthew Dillon
dillon at apollo.backplane.com
Sun Mar 16 12:54:57 PDT 2008
:Hello.
:Just caught a panic while playing with NFS mounted git tree
:(but I cannot reliably reproduce it after that):
:
:panic: assertion: _ifac->ifa_magic == IFA_CONTAINER_MAGIC in _IFAFREE
:mp_lock = 00000001; cpuid = 1
: :
:and the backtrace below the panic is as follows:
:
:#9 0xc032907e in rtfree (rt=0xc116ca60)
: at /home/dfly/current/sys/net/if_var.h:469
:#10 0xc034e8ed in ip_output (m0=0xcc2fd100, opt=0x0, ro=0xc9ebde3c,
: flags=<value optimized out>, imo=0x0, inp=0xc9ebde00)
: at /home/dfly/current/sys/netinet/ip_output.c:245
I assume IFA_CONTAINER_MAGIC is a sanity check you added somewhere
in your local tree? Its a good idea but probably catches the
bug too late.
We definitely still have a use-after-free issue with IFA's. I have
been unable to locate where but clearly something is losing track of
the IFA and we are winding up with a dangling pointer.
-Matt
More information about the Bugs
mailing list