panic: assertion: _ifac->ifa_magic == IFA_CONTAINER_MAGIC in _IFAFREE
Sepherosa Ziehau
sepherosa at gmail.com
Mon Mar 17 07:09:37 PDT 2008
On Mon, Mar 17, 2008 at 11:06 AM, YONETANI Tomokazu
<qhwt+dfly at les.ath.cx> wrote:
> On Sun, Mar 16, 2008 at 08:09:17PM +0800, Sepherosa Ziehau wrote:
> > On Sun, Mar 16, 2008 at 6:07 PM, YONETANI Tomokazu <qhwt+dfly at les.ath.cx> wrote:
> > > Hello.
> > > Just caught a panic while playing with NFS mounted git tree
> > > (but I cannot reliably reproduce it after that):
> >
> > dst address of a UDP packet is changed, which changes port/addr hash
> > too, but old route entry was not allocated on the current CPU. Since
> > the box only contains 2 CPUs, after the l{port,addr}/f{port,addr}
> > hash, the problem probably will not show itself ;). Please run
> > following test program several times and then unload the NIC module to
> > see whether you could reproduce the problem (if you have TCP
> > connections too, you will have to wait 2MSL):
> > http://leaf.dragonflybsd.org/~sephe/test_udp.c
>
> I've been trying to reproduce it but so far unsuccessful...
I have changed this test program a little bit. Run it in following way:
. /test_udp remote_ip
If it paused, then on the other term:
ifconfig iface_local down
And kill test_udp, if you don't have TCP connection, the panic should
happen immediately.
Though the panic place is different, but the root cause should be same:
Initially UDP socket is neither connected nor bound, thus f{addr,port}
and l{addr,port} in pcb are 0. Sending the first datagram on this
socket will be dispatched to CPU0. Then lport is chosen in
udp_output() and route entry is allocated on CPU0. If (lport >> 8 &
1) is 1 on a 2 CPU box, then rest of socket operation will happen on
CPU1, e.g. sending to different faddr will cause route entry allocated
on CPU0 be freed on CPU1.
I think we need to fix following entry points:
1) udp_output(): after ip_output() if old_lport==0 and
mycpuid!=udp_addrcpu(inpcb addr/port pair) then free inpcb's route
entry
2) udp_connect(): this function always happens on CPU0, so if
udp_addrcpu(inpcb addr/port pair)!=mycpuid(0 here), then we need to
free inpcb's route entry
3) udp_disconnect(): at the end of it, if mycpuid!=udp_addrcpu(inpcb
addr/port pair) then free inpcb's route entry
I may miss some entry points here, so please point them out to me, if
some pop up in your mind.
Best Regards,
sephe
--
Live Free or Die
More information about the Bugs
mailing list