NetBSD Problem Report #52255
From paul@whooppee.com Wed May 24 03:34:10 2017
Return-Path: <paul@whooppee.com>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id BF7E77A2AA
for <gnats-bugs@gnats.NetBSD.org>; Wed, 24 May 2017 03:34:10 +0000 (UTC)
Message-Id: <20170524033408.15B8B16E68@speedy.whooppee.com>
Date: Wed, 24 May 2017 11:34:08 +0800 (+08)
From: paul@whooppee.com
Reply-To: paul@whooppee.com
To: gnats-bugs@NetBSD.org
Subject: if_tun panic in tun_clone_destroy()
X-Send-Pr-Version: 3.95
>Number: 52255
>Category: kern
>Synopsis: if_tun panic in tun_clone_destroy()
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed May 24 03:35:00 +0000 2017
>Closed-Date: Wed May 24 06:54:09 +0000 2017
>Last-Modified: Wed May 24 06:55:00 +0000 2017
>Originator: Paul Goyette
>Release: NetBSD 7.99.71
>Organization:
+------------------+--------------------------+----------------------------+
| Paul Goyette | PGP Key fingerprint: | E-mail addresses: |
| (Retired) | FA29 0E3B 35AF E8AE 6651 | paul at whooppee dot com |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd dot org |
+------------------+--------------------------+----------------------------+
>Environment:
System: NetBSD speedy.whooppee.com 7.99.71 NetBSD 7.99.71 (SPEEDY 2017-05-11 00:01:07 UTC) #0: Thu May 11 04:22:38 UTC 2017 paul@speedy.whooppee.com:/build/netbsd-local/obj/amd64/sys/arch/amd64/compile/SPEEDY amd64
Architecture: x86_64
Machine: amd64
>Description:
When built with lockdebug, tun_clone_destroy() encounters a panic when
calling kmem_intr_free() to free the device's softc. It seems that there
is still an active lock contained within the softc.
A little investigation shows that the lock must actually be inside the
'struct ifnet'; the only lock inside the tun-specific portion of the softc
is the tun_lock, which is already being kmutex_destroy()d before the call
to kmem_intr_free(). But I don't see anywhere where the actual kmutex is
contained inside 'struct ifnet' - just pointers to various lock things.
>How-To-Repeat:
1. Bring up a tunnel (I use openvpn for this)
2. Shut the system down, which should cause the tunnel to be destroyed
>Fix:
Not known.
XXX
Note that other cloning network devices might well have a similar bug!
>Release-Note:
>Audit-Trail:
From: Paul Goyette <paul@whooppee.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/52255: if_tun panic in tun_clone_destroy()
Date: Wed, 24 May 2017 11:37:38 +0800 (+08)
>> How-To-Repeat:
> 1. Bring up a tunnel (I use openvpn for this)
> 2. Shut the system down, which should cause the tunnel to be destroyed
Note an important step 0!
0. Build and boot a kernel with 'options LOCKDEBUG' enabled
:)
State-Changed-From-To: open->closed
State-Changed-By: pgoyette@NetBSD.org
State-Changed-When: Wed, 24 May 2017 06:54:09 +0000
State-Changed-Why:
Fix committed
From: "Paul Goyette" <pgoyette@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52255 CVS commit: src/sys/net
Date: Wed, 24 May 2017 06:52:15 +0000
Module Name: src
Committed By: pgoyette
Date: Wed May 24 06:52:14 UTC 2017
Modified Files:
src/sys/net: if_tun.c
Log Message:
Call cv_destroy() to deactivate the tun_cv before calling kmem_intr_free()
to deallocate the containing memory chunk (the tunnel's softc). Otherwise
a LOCKDEBUG kernel will panic in tun_clone_destroy().
Fixes PR kern/52255
To generate a diff of this commit:
cvs rdiff -u -r1.138 -r1.139 src/sys/net/if_tun.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.