Bug #14433: Panic when changing the parent of a VLAN interface used by limiters - pfSense - pfSense bugtracker

Actions

Copy link

Bug #14433

closed

Panic when changing the parent of a VLAN interface used by limiters

Added by Marcos M 11 months ago. Updated 11 months ago.

Status:

Resolved

Priority:

Normal

Assignee:

Kristof Provost

Category:

Interfaces

Target version:

2.7.0

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

23.05.1

Release Notes:

Default

Affected Version:

2.7.0

Affected Architecture:

Description

Tested in 23.05:

Assign a VLAN interface vmx0.99
Use the interface with limiters (WF2Q+ pipe with Tail Drop queues)
Change the parent interface of the VLAN (to vmx1.99)

In this case, vmx0.99 is also being used for a GIF interface. Potentially related, vmx0 is set to 9000 MTU and vmx1 is 1500.

<6>vlan0: changing name to 'vmx1.99'
<6>gif0: link state changed to DOWN
<6>gif0: link state changed to UP
--- heap_extract: empty heap 0x0xfffff8013463c9f0
<6>gif0: link state changed to DOWN
<6>gif0: link state changed to UP
--- heap_extract: empty heap 0x0xfffff8013463c9f0
dummynet: fast io: pkt chain detected!
dummynet: fast io: pkt chain detected!
dummynet: fast io: pkt chain detected!
panic: heap_extract: father -16 out of bound 0..1

cpuid = 3
time = 1685413658
KDB: enter: panic

db:1:pfs> bt
Tracing pid 0 tid 100010 td 0xfffffe00105cc560
kdb_enter() at kdb_enter+0x32/frame 0xfffffe000edd3330
vpanic() at vpanic+0x183/frame 0xfffffe000edd3380
panic() at panic+0x43/frame 0xfffffe000edd33e0
heap_scan() at heap_scan/frame 0xfffffe000edd3410
wf2qp_enqueue() at wf2qp_enqueue+0x72/frame 0xfffffe000edd3450
dummynet_io() at dummynet_io+0x289/frame 0xfffffe000edd34b0
pf_dummynet_route() at pf_dummynet_route+0x392/frame 0xfffffe000edd3590
pf_route() at pf_route+0x235/frame 0xfffffe000edd3650
pf_test() at pf_test+0xc0a/frame 0xfffffe000edd37e0
pf_check_out() at pf_check_out+0x1f/frame 0xfffffe000edd3800
pfil_mbuf_out() at pfil_mbuf_out+0x35/frame 0xfffffe000edd3830
ip_output() at ip_output+0xa8f/frame 0xfffffe000edd3920
ip_forward() at ip_forward+0x3d5/frame 0xfffffe000edd39d0
ip_input() at ip_input+0x686/frame 0xfffffe000edd3a30
netisr_dispatch_src() at netisr_dispatch_src+0x2a0/frame 0xfffffe000edd3a80
ether_demux() at ether_demux+0x149/frame 0xfffffe000edd3ab0
ether_nh_input() at ether_nh_input+0x352/frame 0xfffffe000edd3b10
netisr_dispatch_src() at netisr_dispatch_src+0xb0/frame 0xfffffe000edd3b60
ether_input() at ether_input+0x69/frame 0xfffffe000edd3bc0
ether_demux() at ether_demux+0x9a/frame 0xfffffe000edd3bf0
ether_nh_input() at ether_nh_input+0x352/frame 0xfffffe000edd3c50
netisr_dispatch_src() at netisr_dispatch_src+0xb0/frame 0xfffffe000edd3ca0
ether_input() at ether_input+0x69/frame 0xfffffe000edd3d00
iflib_rxeof() at iflib_rxeof+0xc13/frame 0xfffffe000edd3e00
_task_fn_rx() at _task_fn_rx+0x72/frame 0xfffffe000edd3e40
gtaskqueue_run_locked() at gtaskqueue_run_locked+0x15d/frame 0xfffffe000edd3ec0
gtaskqueue_thread_loop() at gtaskqueue_thread_loop+0xc3/frame 0xfffffe000edd3ef0
fork_exit() at fork_exit+0x7d/frame 0xfffffe000edd3f30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000edd3f30
--- trap 0x4ed32fa8, rip = 0, rsp = 0, rbp = 0x30646870 ---
db:1:pfs>  show registers
cs                        0x20
ds                        0x3b
es                        0x3b
fs                        0x13
gs                        0x1b
ss                        0x28
rax                       0x12
rcx                        0x1
rdx         0xfffffe000edd2f50
rbx                      0x100
rsp         0xfffffe000edd3330
rbp         0xfffffe000edd3330
rsi                       0x20
rdi         0xffffffff82d836d8  vt_conswindow+0x10
r8                           0
r9                    0x2ff000
r10         0xffffffff82d836c8  vt_conswindow
r11                      0x139
r12                          0
r13         0xfffff8003aca4300
r14         0xfffffe000edd33c0
r15         0xfffffe00105cc560
rip         0xffffffff80d48ff2  kdb_enter+0x32
rflags                    0x82
kdb_enter+0x32: movq    $0,0x2342e13(%rip)
db:1:pfs>  show pcpu
cpuid        = 3
dynamic pcpu = 0xfffffe008d5e6580
curthread    = 0xfffffe00105cc560: pid 0 tid 100010 critnest 1 "if_io_tqg_3" 
curpcb       = 0xfffffe00105cca80
fpcurthread  = none
idlethread   = 0xfffffe0010587e40: tid 100006 "idle: cpu3" 
self         = 0xffffffff84013000
curpmap      = 0xffffffff8303ff50
tssp         = 0xffffffff84013384
rsp0         = 0xfffffe000edd4000
kcr3         = 0x8000000009ec5002
ucr3         = 0xffffffffffffffff
scr3         = 0x5cded98c
gs32p        = 0xffffffff84013404
ldt          = 0xffffffff84013444
tss          = 0xffffffff84013434
curvnet      = 0xfffff800011ba740