OpenSolaris

Printable Version Enter a New Search
Bug ID 6747137
Synopsis zone shutdown finds free'd data in arp
State 10-Fix Delivered (Fix available in build)
Category:Subcategory kernel:tcp-ip
Keywords
Responsible Engineer Darren Reed
Reported Against
Duplicate Of
Introduced In solaris_nevada
Commit to Fix snv_102
Fixed In snv_102
Release Fixed solaris_nevada(snv_102) , solaris_10u7(s10u7_04) (Bug ID:2168726)
Related Bugs 6418698 , 6746721
Submit Date 11-September-2008
Last Update Date 6-November-2008
Description 
System fails like this:
panic[cpu16]/thread=300275ab400: 
assertion failed: token != 0L, file: ../../common/io/hook.c, line: 607


000002a104bf4780 genunix:assfail+78 (7bbbdda8, 7bbbdd10, 25f, 1889400, 1376800, 
0)
  %l0-3: 0000060015d51ce0 0000060012531bb0 0000000008004020 000000007bf58800
  %l4-7: 0000000000000000 0000000000000000 00000000018dec00 0000000000000000
000002a104bf4830 hook:hook_run+1c (deadbeefdeadbeef, 0, 2a104bf4990, 7efefeff, 8
1010100, 7bbbdd10)
  %l0-3: 0000060015d51ce0 0000060012531bb0 0000000008004020 000000007bf58800
  %l4-7: 0000000000000000 0000000001381000 0000000000000000 0000060015d8b870
000002a104bf48e0 arp:ar_close+280 (60015d8b808, 6001218fb10, 60012cf7ae8, 60012b
63180, 2a104bf49c0, 2)
  %l0-3: 0000060015d51ce0 0000060012531bb0 0000000008004020 000000007bf58800
  %l4-7: 0000000000000000 0000000001381000 0000000000000000 0000060015d8b870
000002a104bf49e0 genunix:qdetach+bc (60015d8b808, 1, 3, 6001218fb10, 0, 60015d8b
900)
  %l0-3: fffffffffffffffb 0000000000004010 0000000008004020 0000000008004000
  %l4-7: 0000060012f72338 0000000001381000 0000000000000000 0000060015d8b870
000002a104bf4a90 genunix:strclose+4bc (60015d8b808, 60015d8be50, 137ff68, 138001
0, 200000, 60015d8bd58)
  %l0-3: fffffffffffffffb 0000060015d8bed2 0000060012f723c0 0000060012f723b8
  %l4-7: 0000060012f72338 0000000000000001 0000000000000000 0000000000040000
000002a104bf4b70 specfs:device_close+84 (60015d54500, 3, 60012f72338, 6001218fb1
0, 2000, 4)                           
  %l0-3: 0000060012f522f8 00000040000003f2 0000000000000040 0000000000000040
  %l4-7: 00000000ffffffff ffffffffffffffff 000000007030f948 00000600104363c8
000002a104bf4c20 specfs:spec_close+160 (60015d54500, 3, 1915000, 60012f522d0, 60
01218fb10, 60012f52248)
  %l0-3: 0000000000008420 0000000000000000 0000000000000040 0000000000000004
  %l4-7: 0000000000000000 000000000139fc00 0000000000000000 000000000000000d
000002a104bf4cd0 genunix:fop_close+48 (60015d54500, 3, 1, 0, 6001218fb10, 0)
  %l0-3: 000000000136c400 0000060015d54500 0000000000000001 0000000000000003
  %l4-7: 0000000000000000 0000000000004000 0000000001381400 000000000000fc00
000002a104bf4d80 genunix:closef+ac (60012b380a8, 300275ab400, 0, 18004bdc8f0, 0,
 1915000)
  %l0-3: 000000000136c400 0000060015d54500 0000000000000001 0000000000000003
  %l4-7: 0000000000000000 0000000000004000 0000000001381400 000000000000fc00
000002a104bf4e30 genunix:munlink+4ac (0, 8000000, 60012b380a8, f7ffffff, 0, f7ff
fc00)
  %l0-3: 0000060012f723b8 0000060012f72338 0000000000000002 0000060015ca3008
  %l4-7: 0000000008000040 0000000000004000 0000000001381400 000000000000fc00
000002a104bf4f00 genunix:munlinkall+40 (60015d9ab38, 2, 6001258c1c8, 2a104bf5474
, 60015c6c910, 0)
  %l0-3: 0000000000000016 000002a104bf5474 0000060015d9abb8 0000060012b51d80
  %l4-7: 0000000000000002 0000000000005317 0000000000000003 000000000191dfb0
000002a104bf4fb0 genunix:strioctl+2954 (60015dff400, 5317, 60015d9ab38, 60015c6c
910, ffffffff, 6001258c1c8)
  %l0-3: 0000000000000016 000002a104bf5474 0000060015d9abb8 0000060012b51d80
  %l4-7: 0000000000000002 0000000000005317 0000000000000003 0000000000005000
000002a104bf5300 genunix:ldi_ioctl+f4 (60015de47d0, f00ffc00, ffffffffffffffff, 
80200000, 6001258c1c8, 2a104bf5474)
  %l0-3: 0000000000000002 0000000000005317 0000000000005316 0000000000005000
  %l4-7: 0000000000000029 00000000000000a4 000000290000002d 000000007ffffc00
000002a104bf53c0 genunix:str_stack_shutdown+dc (5000, 60015c6c910, 600149089e0, 
2a104bf5488, 29, 6001258c1c8)
  %l0-3: 0000000000000155 00000300723b8000 0000000000000668 00000000000000cd
  %l4-7: 0000000000000029 00000000000000a4 000000290000002d 000000007ffffc00
000002a104bf5490 genunix:netstack_apply_shutdown+128 (18de990, 60012b51d80, 1, 1
8de7a0, 0, 60012b51e40)
  %l0-3: 0000000000000000 0000060012b51e00 0000000000000000 0000060015c6c910
  %l4-7: 0000000001268678 0000000000000001 0000000001373c00 0000000000000000
000002a104bf5540 genunix:apply_all_modules_reverse+24 (18de990, 11daaf8, 0, 4, 6
0012b51d80, 0)
  %l0-3: 00000000018de7a0 0000000001373c58 00000000018de790 0000060012b51e00
  %l4-7: 0000000000000010 00000000018de990 0000000000000014 0000060012b51d80
000002a104bf55f0 genunix:netstack_zone_shutdown+164 (60012b51e40, 11da800, 60012
b51d80, 1, 1373c00, 1373c00)
  %l0-3: 00000000018de7a0 0000000001373c58 00000000018de790 0000060012b51e00
  %l4-7: 0000000000000010 00000000018de990 0000000000000014 0000060012b51d80
000002a104bf56a0 genunix:zsd_apply_shutdown+18c (0, 1, 60012bbfa80, 2, 1, 60012b
bfa98)
  %l0-3: 0000060012bbfb50 0000000000000002 000006001318dc00 0000000000000000
  %l4-7: 0000000000000004 0000000000000014 0000000000000014 0000060012b51d80
000002a104bf5750 genunix:zsd_apply_all_keys+34 (12de068, 60012bbfa80, 1, 60012bb
fa98, 60012bbfb50, 6001318dc00)
  %l0-3: 0000060012bbfb50 0000060012bbfa98 0000000000000000 0000000000000000
  %l4-7: 0000000000000004 0000000000000014 0000000000000000 0000000001914c00
000002a104bf5800 genunix:zone_zsd_callbacks+150 (12de270, 1, 60012bbfa80, 12de00
0, 12de000, 0)
  %l0-3: 0000060012bbfb50 0000060012bbfa98 0000000000000000 0000000000000000
  %l4-7: 0000000000000004 0000000000000014 0000000000000000 0000000001914c00
000002a104bf58b0 genunix:zone_shutdown+1a4 (1, 1f644, 187ec00, 4, 60012bbfa80, 0
)
  %l0-3: 0000000001913058 0000000001913000 0000060012bbfa98 0000000000000005
  %l4-7: 00000000018c56a8 0000000000000000 0000000000000000 0000000001914c00
000002a104bf5960 genunix:zone+19c (5, 1, 5, 1d4, 0, 12e4c00)
  %l0-3: 000000000100a2b8 000002a104bf5b90 0000060012d9a0e0 0000000000000016
  %l4-7: 00000000018c56a8 0000000000037000 00000300275ab400 00000000012e4f70

syncing file systems...               
 132
 46
 done
dumping to /dev/dsk/c1t0d0s1, offset 215744512, content: kernel


vpanic(1376b10, 7bbbdda8, 7bbbdd10, 25f, 81010100, 7bbbdd10)
assfail+0x78(7bbbdda8, 7bbbdd10, 25f, 1889400, 1376800, 0)
hook_run+0x1c(deadbeefdeadbeef, 0, 2a104bf4990, 7efefeff, 81010100, 7bbbdd10)
ar_close+0x280(60015d8b808, 6001218fb10, 60012cf7ae8, 60012b63180, 2a104bf49c0, 
2)
qdetach+0xbc(60015d8b808, 1, 3, 6001218fb10, 0, 60015d8b900)
strclose+0x4bc(60015d8b808, 60015d8be50, 137ff68, 1380010, 200000, 60015d8bd58)
device_close+0x84(60015d54500, 3, 60012f72338, 6001218fb10, 2000, 4)
spec_close+0x160(60015d54500, 3, 1915000, 60012f522d0, 6001218fb10, 60012f52248
)
fop_close+0x48(60015d54500, 3, 1, 0, 6001218fb10, 0)
closef+0xac(60012b380a8, 300275ab400, 0, 18004bdc8f0, 0, 1915000)
munlink+0x4ac(0, 8000000, 60012b380a8, f7ffffff, 0, f7fffc00)
munlinkall+0x40(60015d9ab38, 2, 6001258c1c8, 2a104bf5474, 60015c6c910, 0)
strioctl+0x2954(60015dff400, 5317, 60015d9ab38, 60015c6c910, ffffffff, 
6001258c1c8)
ldi_ioctl+0xf4(60015de47d0, f00ffc00, ffffffffffffffff, 80200000, 6001258c1c8, 
2a104bf5474)
str_stack_shutdown+0xdc(5000, 60015c6c910, 600149089e0, 2a104bf5488, 29, 
6001258c1c8)
netstack_apply_shutdown+0x128(18de990, 60012b51d80, 1, 18de7a0, 0, 60012b51e40)
apply_all_modules_reverse+0x24(18de990, 11daaf8, 0, 4, 60012b51d80, 0)
netstack_zone_shutdown+0x164(60012b51e40, 11da800, 60012b51d80, 1, 1373c00, 
1373c00)
zsd_apply_shutdown+0x18c(0, 1, 60012bbfa80, 2, 1, 60012bbfa98)
zsd_apply_all_keys+0x34(12de068, 60012bbfa80, 1, 60012bbfa98, 60012bbfb50, 
6001318dc00)
zone_zsd_callbacks+0x150(12de270, 1, 60012bbfa80, 12de000, 12de000, 0)
zone_shutdown+0x1a4(1, 1f644, 187ec00, 4, 60012bbfa80, 0)
zone+0x19c(5, 1, 5, 1d4, 0, 12e4c00)
s> ::panicinfo
             cpu               16
          thread      300275ab400
         message 
assertion failed: token != 0L, file: ../../common/io/hook.c, line: 607
          tstate       44e2001607
              g1         7bbbdc00
              g2                5
              g3             e51c
              g4             e51b
              g5      300716184a8
              g6       7c3e52cf10
              g7      300275ab400
              o0          1376b10
              o1      2a104bf4808
              o2              25f
              o3          1889400
              o4          1376800
              o5                0
              o6      2a104bf3ed1
              o7          109044c
              pc          1069f94
             npc          1069f98
               y                0


looks like the arp_stack_shutdown happened before the ar_close, but pfhooks
doesn't account for that. I suspect that arp_hook_destroy should happen
at the end of ar_close, and arp_hook_init should happen in ar_open.
*** (#2 of 4): 2008-09-10 07:15:53 PDT  xxxxx@xxxxx.com

> 2a104bf4990::print -t hook_nic_event_t
{
    net_handle_t hne_protocol = 0x11b57f0012ddcc8
    phy_if_t hne_nic = 0x1
    lif_if_t hne_lif = 0
    nic_event_t hne_event = 2 (NE_UNPLUMB)
    nic_event_data_t hne_data = 0x2a104bf49c0
    size_t hne_datalen = 0x7
}
> 0x2a104bf49c0/s
0x2a104bf49c0:  e1000g1
and 0x11b57f0012ddcc8 is off in no mans land...
> 60012b63180::print -t arp_stack_t   
{
    netstack_t *as_netstack = 0x60012b51d80
    void *as_head = 0
    caddr_t as_nd = 0x600127be560
    struct arl_s *as_arl_head = 0
    arpparam_t *as_param_arr = 0x6001231f080
    struct ace_s *[256] as_ce_hash_tbl = [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ... ]
    ace_t *as_ce_mask_entries = 0
    krwlock_t as_arl_lock = {
        void *[1] _opaque = [ 0 ]
    }
    uint32_t as_arp_index_counter = 0x2
    uint32_t as_arp_counter_wrapped = 0
    hook_family_t as_arproot = {
        int hf_version = 0x1
        char *hf_name = 0x7bf58ea8 "arp"
    }
    hook_event_t as_arp_physical_in_event = {
        int he_version = 0x1
        char *he_name = 0x7bf58ee8 "PHYSICAL_IN"
        int he_flags = 0
        boolean_t he_interested = 0 (B_FALSE)
    }
    hook_event_t as_arp_physical_out_event = {
        int he_version = 0x1
        char *he_name = 0x7bf58f38 "PHYSICAL_OUT"
        int he_flags = 0
        boolean_t he_interested = 0 (B_FALSE)
    }
    hook_event_t as_arp_nic_events = {
        int he_version = 0x1
        char *he_name = 0x7bf58f88 "NIC_EVENTS"
        int he_flags = 0              
        boolean_t he_interested = 0 (B_FALSE)
    }
    hook_event_token_t as_arp_physical_in = 0
    hook_event_token_t as_arp_physical_out = 0
    hook_event_token_t as_arpnicevents = 0
    net_handle_t as_net_data = 0x60012cf7ae8
}
> 0x60012cf7ae8::print -t struct net_data
{
    struct  netd_list = {
        struct net_data *le_next = 0xdeadbeefdeadbeef
        struct net_data **le_prev = 0xdeadbeefdeadbeef
    }
    net_protocol_t netd_info = {
        int netp_version = 0xdeadbeef
        char *netp_name = 0xdeadbeefdeadbeef
        int (*)() netp_getifname = 0xdeadbeefdeadbeef
        int (*)() netp_getmtu = 0xdeadbeefdeadbeef
        int (*)() netp_getpmtuenabled = 0xdeadbeefdeadbeef
        int (*)() netp_getlifaddr = 0xdeadbeefdeadbeef
        int (*)() netp_phygetnext = 0xdeadbeefdeadbeef
        int (*)() netp_phylookup = 0xdeadbeefdeadbeef
        int (*)() netp_lifgetnext = 0xdeadbeefdeadbeef
        int (*)() netp_inject = 0xdeadbeefdeadbeef
        int (*)() netp_routeto = 0xdeadbeefdeadbeef
        int (*)() netp_ispartialchecksum = 0xdeadbeefdeadbeef
        int (*)() netp_isvalidchecksum = 0xdeadbeefdeadbeef
    }
    int netd_refcnt = 0xdeadbeef
    hook_family_int_t *netd_hooks = 0xdeadbeefdeadbeef
    struct neti_stack_s *netd_stack = 0xdeadbeefdeadbeef
    int netd_condemned = 0xdeadbeef
}
jackpot!

So in the first instance, it is obvious that as_net_data isn't being cleared out when
it should be in arp_net_destroy(). The next is that given this is happening as the stack
is dieing, we need to be sure that the event is still present when we try to execute the
hook.
Work Around 
N/A
Comments 
N/A