netbsd-bugs: kern/23125: Destroying a configured gif tunnel causes panic

Subject: kern/23125: Destroying a configured gif tunnel causes panic
To: None <gnats-bugs@gnats.netbsd.org>
From: Frederick Bruckman <fredb@immanent.net>
List: netbsd-bugs
Date: 10/10/2003 13:36:11
>Number:         23125
>Category:       kern
>Synopsis:       Destroying a configured gif tunnel causes panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 10 18:37:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Frederick Bruckman
>Release:        NetBSD 1.6ZC
>Organization:
>Environment:
	
	
System: NetBSD rapture.immanent.net 1.6ZC NetBSD 1.6ZC (RAPTURE) #1: Tue Oct 7 08:27:38 CDT 2003 fredb@rapture.immanent.net:/usr/obj/usr/src/sys/arch/i386/compile/RAPTURE i386
Architecture: i386
Machine: i386
>Description:
	
	Destroying a configured gif tunnel consistently leads to a panic,
	as below. As of NetBSD-1.6Q, this used to neatly delete the tunnel,
	routes, and all the aliases.

	I've tried, one at a time, a patch posted to current users,

	http://mail-index.netbsd.org/current-users/2003/10/10/0000.html

	the patch in PR kern/22792, and reverting all the recent
	changes to if_clone_lookup() (src/sys/net/if.c, 1.128-130),
	but none of that made any difference.

>How-To-Repeat:
	

    # ifconfig gif0
    gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
	    tunnel inet 64.135.203.89 --> 64.71.128.82
	    inet6 2001:470:1f00:ffff::513 -> 2001:470:1f00:ffff::512 prefixlen 128
	    inet6 fe80::200:c0ff:fed3:51d5%gif0 ->  prefixlen 64 scopeid 0x7
    # ifconfig gif0 destroy
    uvm_fault(0xc6b79f00, 0, 0, 1) -> 0xe
    kernel: page fault trap, code=0
    Stopped in pid 2941.1 (ifconfig) at     netbsd:if_detach+0x1cb: movl    0x14(%ebx),%edi
    db> bt
    if_detach(c0665c00,0,900,c0345170,c6dd7ea4) at netbsd:if_detach+0x1cb
    gif_clone_destroy(c0665c00,0,b7d,c6ba1738,c6ba1738) at netbsd:gif_clone_destroy+0x63
    if_clone_destroy(c6dd7ea4,c6dfda06,c6dd7e2c,c015d5a7,334) at netbsd:if_clone_destroy+0x4a
    ifioctl(c05e6e58,80206979,c6dd7ea4,c6dfd86c,0) at netbsd:ifioctl+0xa1b
    sys_ioctl(c6b7cee0,c6dd7f64,c6dd7f5c,0,c6dd7fa4) at netbsd:sys_ioctl+0x126
    syscall_plain(c6dd7fa8,1f,1f,1f,1f) at netbsd:syscall_plain+0x74
    db>
    >Fix:
	    <how to correct or work around the problem, if known (multiple lines)>
	    Manual deleting the tunnel and the aliases first, allows
	    you to destroy the interface safely. For the above, that
	    would be:

	# ifconfig gif0 deletetunnel
	# ifconfig gif0 inet6 -alias 2001:470:1f00:ffff:513
	# ifconfig gif0 inet -alias fe80::200:c0ff:fed3:51d5
	# ifconfig gif0 destroy

	    Needless to say, this is messy and suboptimal.

>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
 	
 	
 	Sources as of Thurs, Oct 09, 2003