panic: assertion: _ifac->ifa_magic == IFA_CONTAINER_MAGIC in _IFAFREE
YONETANI Tomokazu
qhwt+dfly at les.ath.cx
Mon Mar 17 17:54:40 PDT 2008
On Mon, Mar 17, 2008 at 09:59:30PM +0800, Sepherosa Ziehau wrote:
> On Mon, Mar 17, 2008 at 11:06 AM, YONETANI Tomokazu
> <qhwt+dfly at les.ath.cx> wrote:
> > On Sun, Mar 16, 2008 at 08:09:17PM +0800, Sepherosa Ziehau wrote:
> > > On Sun, Mar 16, 2008 at 6:07 PM, YONETANI Tomokazu <qhwt+dfly at les.ath.cx> wrote:
> > > > Hello.
> > > > Just caught a panic while playing with NFS mounted git tree
> > > > (but I cannot reliably reproduce it after that):
> > >
> > > dst address of a UDP packet is changed, which changes port/addr hash
> > > too, but old route entry was not allocated on the current CPU. Since
> > > the box only contains 2 CPUs, after the l{port,addr}/f{port,addr}
> > > hash, the problem probably will not show itself ;). Please run
> > > following test program several times and then unload the NIC module to
> > > see whether you could reproduce the problem (if you have TCP
> > > connections too, you will have to wait 2MSL):
> > > http://leaf.dragonflybsd.org/~sephe/test_udp.c
> >
> > I've been trying to reproduce it but so far unsuccessful...
>
> I have changed this test program a little bit. Run it in following way:
> ./test_udp remote_ip
>
> If it paused, then on the other term:
> ifconfig iface_local down
> And kill test_udp, if you don't have TCP connection, the panic should
> happen immediately.
Yes! But this time at a different place:
#9 0xc0328dc2 in rtrequest1 (req=11, rtinfo=0xca77ec9c, ret_nrt=0xca77ecf0)
at /home/dfly/current/sys/net/if_var.h:445
#10 0xc032915f in rtrequest (req=11, dst=0xca77ed14, gateway=0x0, netmask=0x0,
flags=0, ret_nrt=0xca77ecf0) at /home/dfly/current/sys/net/route.c:637
#11 0xc0329386 in _rtlookup (dst=0xca77ed14, generate_report=1, ignore=0)
at /home/dfly/current/sys/net/route.c:275
#12 0xc0343642 in arplookup (addr=30085292, create=1, proxy=-1067129044)
at /home/dfly/current/sys/net/route.h:364
#13 0xc034371a in arp_update_oncpu (m=<value optimized out>, saddr=30085292,
create=28790, dologging=0) at /home/dfly/current/sys/netinet/if_ether.c:563
#14 0xc0343f66 in arp_update_msghandler (netmsg=0xc985bd08)
at /home/dfly/current/sys/netinet/if_ether.c:877
#15 0xc03284a2 in rtable_service_loop (dummy=0x0)
at /home/dfly/current/sys/net/route.c:178
#16 0xc02c12e5 in lwkt_deschedule_self (td=Cannot access memory at address 0x8
)
at /home/dfly/current/sys/kern/lwkt_thread.c:214
So, can I start testing your patch, or do you need an update to it?
Thanks.
> Though the panic place is different, but the root cause should be same:
> Initially UDP socket is neither connected nor bound, thus f{addr,port}
> and l{addr,port} in pcb are 0. Sending the first datagram on this
> socket will be dispatched to CPU0. Then lport is chosen in
> udp_output() and route entry is allocated on CPU0. If (lport >> 8 &
> 1) is 1 on a 2 CPU box, then rest of socket operation will happen on
> CPU1, e.g. sending to different faddr will cause route entry allocated
> on CPU0 be freed on CPU1.
>
> I think we need to fix following entry points:
> 1) udp_output(): after ip_output() if old_lport==0 and
> mycpuid!=udp_addrcpu(inpcb addr/port pair) then free inpcb's route
> entry
> 2) udp_connect(): this function always happens on CPU0, so if
> udp_addrcpu(inpcb addr/port pair)!=mycpuid(0 here), then we need to
> free inpcb's route entry
> 3) udp_disconnect(): at the end of it, if mycpuid!=udp_addrcpu(inpcb
> addr/port pair) then free inpcb's route entry
>
> I may miss some entry points here, so please point them out to me, if
> some pop up in your mind.
>
> Best Regards,
> sephe
More information about the Bugs
mailing list