From jhanna@pangolin-systems.com  Mon Jul 27 05:39:11 2009
Return-Path: <jhanna@pangolin-systems.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 50B66106564A
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 27 Jul 2009 05:39:11 +0000 (UTC)
	(envelope-from jhanna@pangolin-systems.com)
Received: from mx8-3.i-mecca.net (mx8-3.i-mecca.net [65.39.179.81])
	by mx1.freebsd.org (Postfix) with ESMTP id 29F108FC19
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 27 Jul 2009 05:39:10 +0000 (UTC)
	(envelope-from jhanna@pangolin-systems.com)
Received: from ns8.i-mecca.net (localhost [127.0.0.1])
	by ns8.i-mecca.net (Postfix) with ESMTP id 1A3A37280C0
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 27 Jul 2009 01:19:19 -0400 (EDT)
Received: from pangolin-gbh.mine.nu (S010600044b058cb5.vc.shawcable.net [24.85.82.254])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ns8.i-mecca.net (Postfix) with ESMTPSA id 7A1077280C0
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 27 Jul 2009 01:19:18 -0400 (EDT)
Received: from pangolin-gbh.mine.nu (localhost [127.0.0.1])
	by pangolin-gbh.mine.nu (8.14.3/8.14.3) with ESMTP id n6R5JC2M002835
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 26 Jul 2009 22:19:12 -0700 (PDT)
	(envelope-from jhanna@pangolin-systems.com)
Received: (from jhanna@localhost)
	by pangolin-gbh.mine.nu (8.14.3/8.14.3/Submit) id n6R5JCLL002834;
	Sun, 26 Jul 2009 22:19:12 -0700 (PDT)
	(envelope-from jhanna)
Message-Id: <200907270519.n6R5JCLL002834@pangolin-gbh.mine.nu>
Date: Sun, 26 Jul 2009 22:19:12 -0700 (PDT)
From: Jonathan Hanna <jhanna@pangolin-systems.com>
Reply-To: Jonathan Hanna <jhanna@pangolin-systems.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: assert panic imo_match_source()
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         137164
>Category:       kern
>Synopsis:       [netinet] [patch] assert panic imo_match_source()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-net
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 27 05:40:01 UTC 2009
>Closed-Date:    Tue Sep 29 06:17:39 UTC 2009
>Last-Modified:  Tue Oct  6 17:20:02 UTC 2009
>Originator:     Jonathan Hanna
>Release:        FreeBSD 8.0-BETA2 i386
>Organization:
>Environment:
System: FreeBSD gbh.pangolin-systems.com 8.0-BETA2 FreeBSD 8.0-BETA2 #46 r195894M: Sun Jul 26 11:00:39 PDT 2009 jhanna@gbh.pangolin-systems.com:/usr/obj/usr/src/sys/GBH i386


>Description:

Machine panics after a few hours, reason unknown.
SVN: r195894, only local patch is reversion of latest
change to mii/e1000phy.c, for use of nfe.

panic: imo_match_source: !AF_INET

#0  doadump () at pcpu.h:246
246     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) #0  doadump () at pcpu.h:246
#1  0xc08a238f in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:419
#2  0xc08a2672 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:575
#3  0xc09a8933 in imo_match_source (imo=0xc80eb4c0, gidx=0, src=0x0)
    at /usr/src/sys/netinet/in_mcast.c:320
#4  0xc09aa53e in inp_setmoptions (inp=0xc8318d04, sopt=0xf5cbac3c)
    at /usr/src/sys/netinet/in_mcast.c:1975
#5  0xc09b655c in ip_ctloutput (so=0xc8cfa338, sopt=0xf5cbac3c)
    at /usr/src/sys/netinet/ip_output.c:1032
#6  0xc0a2c5d7 in udp_ctloutput (so=0xc8cfa338, sopt=0xf5cbac3c)
    at /usr/src/sys/netinet/udp_usrreq.c:861
#7  0xc090524d in sosetopt (so=0xc8cfa338, sopt=0xf5cbac3c)
    at /usr/src/sys/kern/uipc_socket.c:2377
#8  0xc090c79c in kern_setsockopt (td=0xc6b86480, s=15, level=0, name=12, 
    val=0xbfbfdf9c, valseg=UIO_USERSPACE, valsize=12)
    at /usr/src/sys/kern/uipc_syscalls.c:1329
#9  0xc090c82e in setsockopt (td=0xc6b86480, uap=0xf5cbacf8)
    at /usr/src/sys/kern/uipc_syscalls.c:1284
#10 0xc0c058e3 in syscall (frame=0xf5cbad38)
    at /usr/src/sys/i386/i386/trap.c:1073
#11 0xc0be8ea0 in Xint0x80_syscall ()
    at /usr/src/sys/i386/i386/exception.s:261
#12 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)


>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:

From: Stef Walter <stef@memberwebs.com>
To: bug-followup@FreeBSD.org, jhanna@pangolin-systems.com
Cc:  
Subject: Re: kern/137164: [socket] [panic] assert panic imo_match_source()
Date: Fri, 04 Sep 09 18:20:01 UTC

 I see this too when bringing up a tapX interface, while ospf is running
 on the machine. It doesn't happen every time, but I can duplicate it
 readily.
 
 8.0-BETA3 i386
 

From: Stef Walter <stef-list@memberwebs.com>
To: bug-followup@FreeBSD.org, jhanna@pangolin-systems.com
Cc:  
Subject: Re: kern/137164: [socket] [panic] assert panic imo_match_source()
Date: Thu, 10 Sep 09 06:00:10 UTC

 This is a multi-part message in MIME format.
 --------------060002070100090400000100
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 
 This patch (by Shteryana Shopova) fixes the problem.
 
 --------------060002070100090400000100
 Content-Type: text/x-diff;
  name="freebsd-mcast-eaddrinuse.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="freebsd-mcast-eaddrinuse.patch"
 
 --- sys/netinet/in_mcast.c.orig	2009-08-03 08:13:06.000000000 +0000
 +++ sys/netinet/in_mcast.c	2009-09-09 01:35:06.000000000 +0000
 @@ -1964,4 +1964,8 @@
  	if (idx == -1) {
  		is_new = 1;
 +	} else if (sopt->sopt_name == IP_ADD_MEMBERSHIP) {
 +		/* Trying to join the same Any-source group again. */
 +		error = EADDRINUSE;
 +		goto out_inp_locked;
  	} else {
  		inm = imo->imo_membership[idx];
 
 
 --------------060002070100090400000100--
 
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Sep 12 03:38:26 UTC 2009 
Responsible-Changed-Why:  
A patch is now included.  Reassign to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137164 
State-Changed-From-To: open->patched 
State-Changed-By: bms 
State-Changed-When: Sat 12 Sep 2009 20:17:38 UTC 
State-Changed-Why:  
Actually should be resolved by SVN rev 197132. 
See SVN rev 197135 for further tightening of the logic in this case. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=137164 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/137164: commit references a PR
Date: Sat, 12 Sep 2009 20:18:37 +0000 (UTC)

 Author: bms
 Date: Sat Sep 12 20:18:23 2009
 New Revision: 197135
 URL: http://svn.freebsd.org/changeset/base/197135
 
 Log:
   Don't allow joins w/o source on an existing group.
   This is almost always pilot error.
   
   We don't need to check for group filter UNDEFINED state at t1,
   because we only ever allocate filters with their groups, so we
   unconditionally reject such calls with EINVAL.
   Trying to change the active filter mode w/o going through IP_MSFILTER
   is also disallowed.
   
   Deals with the case described in PR 137164 upfront, cumulative
   with the fix in svn rev 197132 which only calls imo_match_source()
   if the source address family was not unspecified.
   
   PR:		137164
   MFC after:	5 days
 
 Modified:
   head/sys/netinet/in_mcast.c
 
 Modified: head/sys/netinet/in_mcast.c
 ==============================================================================
 --- head/sys/netinet/in_mcast.c	Sat Sep 12 20:03:45 2009	(r197134)
 +++ head/sys/netinet/in_mcast.c	Sat Sep 12 20:18:23 2009	(r197135)
 @@ -1982,15 +1982,18 @@ inp_join_group(struct inpcb *inp, struct
  			}
  		} else {
  			/*
 -			 * MCAST_JOIN_GROUP on an existing inclusive
 -			 * membership is an error; if you want to change
 -			 * filter mode, you must use the userland API
 -			 * setsourcefilter().
 +			 * MCAST_JOIN_GROUP alone, on any existing membership,
 +			 * is rejected, to stop the same inpcb tying up
 +			 * multiple refs to the in_multi.
 +			 * On an existing inclusive membership, this is also
 +			 * an error; if you want to change filter mode,
 +			 * you must use the userland API setsourcefilter().
 +			 * XXX We don't reject this for imf in UNDEFINED
 +			 * state at t1, because allocation of a filter
 +			 * is atomic with allocation of a membership.
  			 */
 -			if (imf->imf_st[1] == MCAST_INCLUDE) {
 -				error = EINVAL;
 -				goto out_inp_locked;
 -			}
 +			error = EINVAL;
 +			goto out_inp_locked;
  		}
  	}
  
 @@ -2025,6 +2028,9 @@ inp_join_group(struct inpcb *inp, struct
  	 * membership of the group. The in_multi may not have
  	 * been allocated yet if this is a new membership, however,
  	 * the in_mfilter slot will be allocated and must be initialized.
 +	 *
 +	 * Note: Grafting of exclusive mode filters doesn't happen
 +	 * in this path.
  	 */
  	if (ssa->ss.ss_family != AF_UNSPEC) {
  		/* Membership starts in IN mode */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/137164: commit references a PR
Date: Thu, 17 Sep 2009 13:42:09 +0000 (UTC)

 Author: bms
 Date: Thu Sep 17 13:41:59 2009
 New Revision: 197280
 URL: http://svn.freebsd.org/changeset/base/197280
 
 Log:
   MFC revs 197129,197130,197132:
    Fixes to mcast userland API.
   --
     Fix an API issue in leave processing for IPv4 multicast groups.
      * Do not assume that the group lookup performed by imo_match_group()
        is valid when ifp is NULL in this case.
      * Instead, return EADDRNOTAVAIL if the ifp cannot be resolved for the
        membership we are being asked to leave.
   
     Caveat user:
      * The way IPv4 multicast memberships are implemented in the inpcb layer
        at the moment, has the side-effect that struct ip_moptions will
        still hold the membership, under the old ifp, until ip_freemoptions()
        is called for the parent inpcb.
      * The underlying issue is: the inpcb layer does not get notification
        of ifp being detached going away in a thread-safe manner.
        This is non-trivial to fix.
   --
     Fix an obvious logic error in the IPv4 multicast leave processing,
     where the filter mode vector was not updated correctly after the leave.
   --
     Tighten input checking in inp_join_group():
      * Don't try to use the source address, when its family is unspecified.
      * If we get a join without a source, on an existing inclusive
        mode group, this is an error, as it would change the filter mode.
   
     Fix a problem with the handling of in_mfilter for new memberships:
      * Do not rely on imf being NULL; it is explicitly initialized to a
        non-NULL pointer when constructing a membership.
      * Explicitly initialize *imf to EX mode when the source address
        is unspecified.
     This fixes a problem with in_mfilter slot recycling in the join path.
   --
     Don't allow joins w/o source on an existing group.
     This is almost always pilot error.
   
     We don't need to check for group filter UNDEFINED state at t1,
     because we only ever allocate filters with their groups, so we
     unconditionally reject such calls with EINVAL.
     Trying to change the active filter mode w/o going through IP_MSFILTER
     is also disallowed.
   
     Deals with the case described in PR 137164 upfront, cumulative
     with the fix in svn rev 197132 which only calls imo_match_source()
     if the source address family was not unspecified.
   --
   
   Revision 197136 has a text conflict, however it is a comment only change.
   
   PR:		137164, 138689, 138690, 138691
   Submitted by:	Stef Walter (with fixups)
   Approved by:	re (kib)
 
 Modified:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
   stable/8/sys/dev/ciss/   (props changed)
   stable/8/sys/dev/xen/xenpci/   (props changed)
   stable/8/sys/netinet/in_mcast.c
 
 Modified: stable/8/sys/netinet/in_mcast.c
 ==============================================================================
 --- stable/8/sys/netinet/in_mcast.c	Thu Sep 17 13:33:40 2009	(r197279)
 +++ stable/8/sys/netinet/in_mcast.c	Thu Sep 17 13:41:59 2009	(r197280)
 @@ -1957,11 +1957,6 @@ inp_join_group(struct inpcb *inp, struct
  	if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0)
  		return (EADDRNOTAVAIL);
  
 -	/*
 -	 * MCAST_JOIN_SOURCE on an exclusive membership is an error.
 -	 * On an existing inclusive membership, it just adds the
 -	 * source to the filter list.
 -	 */
  	imo = inp_findmoptions(inp);
  	idx = imo_match_group(imo, ifp, &gsa->sa);
  	if (idx == -1) {
 @@ -1969,15 +1964,33 @@ inp_join_group(struct inpcb *inp, struct
  	} else {
  		inm = imo->imo_membership[idx];
  		imf = &imo->imo_mfilters[idx];
 -		if (ssa->ss.ss_family != AF_UNSPEC &&
 -		    imf->imf_st[1] != MCAST_INCLUDE) {
 -			error = EINVAL;
 -			goto out_inp_locked;
 -		}
 -		lims = imo_match_source(imo, idx, &ssa->sa);
 -		if (lims != NULL) {
 -			error = EADDRNOTAVAIL;
 -			goto out_inp_locked;
 +		if (ssa->ss.ss_family != AF_UNSPEC) {
 +			/*
 +			 * MCAST_JOIN_SOURCE on an exclusive membership
 +			 * is an error. On an existing inclusive membership,
 +			 * it just adds the source to the filter list.
 +			 */
 +			if (imf->imf_st[1] != MCAST_INCLUDE) {
 +				error = EINVAL;
 +				goto out_inp_locked;
 +			}
 +			/* Throw out duplicates. */
 +			lims = imo_match_source(imo, idx, &ssa->sa);
 +			if (lims != NULL) {
 +				error = EADDRNOTAVAIL;
 +				goto out_inp_locked;
 +			}
 +		} else {
 +			/*
 +			 * MCAST_JOIN_GROUP on an existing inclusive
 +			 * membership is an error; if you want to change
 +			 * filter mode, you must use the userland API
 +			 * setsourcefilter().
 +			 */
 +			if (imf->imf_st[1] == MCAST_INCLUDE) {
 +				error = EINVAL;
 +				goto out_inp_locked;
 +			}
  		}
  	}
  
 @@ -2010,7 +2023,8 @@ inp_join_group(struct inpcb *inp, struct
  	/*
  	 * Graft new source into filter list for this inpcb's
  	 * membership of the group. The in_multi may not have
 -	 * been allocated yet if this is a new membership.
 +	 * been allocated yet if this is a new membership, however,
 +	 * the in_mfilter slot will be allocated and must be initialized.
  	 */
  	if (ssa->ss.ss_family != AF_UNSPEC) {
  		/* Membership starts in IN mode */
 @@ -2027,6 +2041,12 @@ inp_join_group(struct inpcb *inp, struct
  			error = ENOMEM;
  			goto out_imo_free;
  		}
 +	} else {
 +		/* No address specified; Membership starts in EX mode */
 +		if (is_new) {
 +			CTR1(KTR_IGMPV3, "%s: new join w/o source", __func__);
 +			imf_init(imf, MCAST_UNDEFINED, MCAST_EXCLUDE);
 +		}
  	}
  
  	/*
 @@ -2189,6 +2209,9 @@ inp_leave_group(struct inpcb *inp, struc
  	if (!IN_MULTICAST(ntohl(gsa->sin.sin_addr.s_addr)))
  		return (EINVAL);
  
 +	if (ifp == NULL)
 +		return (EADDRNOTAVAIL);
 +
  	/*
  	 * Find the membership in the membership array.
  	 */
 @@ -2275,9 +2298,11 @@ out_imf_rollback:
  	imf_reap(imf);
  
  	if (is_final) {
 -		/* Remove the gap in the membership array. */
 -		for (++idx; idx < imo->imo_num_memberships; ++idx)
 +		/* Remove the gap in the membership and filter array. */
 +		for (++idx; idx < imo->imo_num_memberships; ++idx) {
  			imo->imo_membership[idx-1] = imo->imo_membership[idx];
 +			imo->imo_mfilters[idx-1] = imo->imo_mfilters[idx];
 +		}
  		imo->imo_num_memberships--;
  	}
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: bms 
State-Changed-When: Tue 29 Sep 2009 06:17:26 UTC 
State-Changed-Why:  
appropriate fixes MFCed and in 8.0-RC1 

http://www.freebsd.org/cgi/query-pr.cgi?pr=137164 

From: Stef Walter <stef@memberwebs.com>
To: bug-followup@FreeBSD.org, jhanna@pangolin-systems.com, 
 Bruce Simpson <bms@incunabulum.net>
Cc:  
Subject: Re: kern/137164: [netinet] [patch] assert panic imo_match_source()
Date: Tue, 06 Oct 2009 10:37:31 -0500

 This is a multi-part message in MIME format.
 --------------090401010308070005060707
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 
 Thanks for working on getting all these multicast fixes in. Much
 appreciated!
 
 Just one more thing, previous to 7.x FreeBSD would return EADDRINUSE
 in the case of a double IP_ADD_MEMBERSHIP. Software like quagga uses
 this error code to detect this condition.
 
 As patched (and MFC'd in 7.x and 8.x) EINVAL is returned instead and
 this confuses such software.
 
 Currently the multicast code does not remove memberships from its
 internal structures when an interface goes down. It's hard for userland
 to reliably track the condition of a multicast membership that didn't go
 away due to an interface going down. So software like quagga uses
 EADDRINUSE to track the condition.
 
 Obviously, as you Bruce mentioned, an better solution needs to be found
 eventually WRT to 'dynamic' interfaces and the multicast code. But for
 now would the attached patch be acceptable? It would prevent regressions
 from FreeBSD 6.x.
 
 Thanks for considering,
 
 Stef
 
 
 --------------090401010308070005060707
 Content-Type: text/x-diff;
  name="freebsd-mcast-eaddrinuse.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="freebsd-mcast-eaddrinuse.patch"
 
 --- sys/netinet/in_mcast.c.orig	2009-09-30 16:43:35.000000000 +0000
 +++ sys/netinet/in_mcast.c	2009-09-30 17:04:59.000000000 +0000
 @@ -2010,5 +2010,5 @@
  			 * is atomic with allocation of a membership.
  			 */
 -			error = EINVAL;
 +			error = EADDRINUSE;
  			goto out_inp_locked;
  		}
 
 
 --------------090401010308070005060707--

From: Bruce Simpson <bms@incunabulum.net>
To: Stef Walter <stef@memberwebs.com>
Cc: bug-followup@FreeBSD.org, jhanna@pangolin-systems.com
Subject: Re: kern/137164: [netinet] [patch] assert panic imo_match_source()
Date: Tue, 06 Oct 2009 17:56:54 +0100

 Hi Stef,
 
 I am about to leave on holiday for two weeks, so I probably won't have 
 time to check this change in.
 
 I'm kind of in a last minute rush right now, so it might be better to 
 ping syrinx@ about this change (I don't know if she is still under 
 mentorship or not).
 
 If I can get to it during the break (no promises), so far so good.
 
 cheers,
 BMS
>Unformatted:
