Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 20 Aug 2005 20:56:34 +0200
From:      Fredrik Lindberg <fli+freebsd-current@shapeshifter.se>
To:        Pawel Jakub Dawidek <pjd@FreeBSD.org>
Cc:        freebsd-current@freebsd.org, rwatson@FreeBSD.org, Andrew Thompson <thompsa@freebsd.org>
Subject:   Re: [PANIC] 6.0BETA2 in l2ping flood
Message-ID:  <43077CE2.2070300@shapeshifter.se>
In-Reply-To: <20050820161042.GA749@garage.freebsd.pl>
References:  <b0ba593005081703416d19fbf4@mail.gmail.com>	<20050817231838.GA97927@heff.fud.org.nz>	<20050818210128.GD18375@garage.freebsd.pl>	<20050819011734.GA4206@heff.fud.org.nz> <20050820161042.GA749@garage.freebsd.pl>

next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------080400080403020101020305
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

Pawel Jakub Dawidek wrote:
> On Fri, Aug 19, 2005 at 01:17:34PM +1200, Andrew Thompson wrote:
> +> On Thu, Aug 18, 2005 at 11:01:29PM +0200, Pawel Jakub Dawidek wrote:
> +> > On Thu, Aug 18, 2005 at 11:18:38AM +1200, Andrew Thompson wrote:
> +> > +> Interesting... I can get exactly the same panic by doing
> +> > +> 
> +> > +>  ifconfig bridge0 create
> +> > +>   <'tcpdump -i bridge0' on another terminal>
> +> > +>  ifconfig bridge0 up
> +> > +>  ifconfig bridge0 destroy
> +> > 
> +> > Here, when you destroy bridge0, callout handle is also destroyed,
> +> > but on detach, bpf wants to turn off promiscuous mode and call
> +> > bridge_init(), because it doesn't have IFF_DRV_RUNNING flag set.
> +> > 
> +> > bridge_init() calls callout_reset() on destroyed callout handle.
> +> > 
> +> 
> +> Thanks for explaining this, you have saved me a lot of suffering.
> +> 
> +> This patch fixes the panic on destroy, is it the correct way to solve
> +> the problem? I need to commit something before 6.0.
> 
> My explanation wasn't quite right.
> 
> callout_reset() is called on a valid handle, but right after that, softc
> structure if freed, so when softclock calls your function, softc is
> already dead.
> 
> Here is a patch which fix it:
> 
> 	http://people.freebsd.org/~pjd/patches/if_bridge.c.patch
> 
> If you don't want to change bridge_softc structure size, you can also
> verify in bridge_init() if the given 'sc' is on bridge_list list.
> 

There is a smiliar issue with ip_carp, you can panic your system with
ifconfig create carp0
itconfig carp0 vhid 1 pass foo 192.168.0.1/24
tcpdump -i carp0
<switch term>
ifconfig destroy carp0

#25 0xc057e086 in _mtx_lock_flags (m=0x10, opts=0,
     file=0xc07cb579 "/usr/src/sys/netinet/ip_carp.c", line=1810)
     at /usr/src/sys/kern/kern_mutex.c:268
#26 0xc06394d3 in carp_ioctl (ifp=0x0, cmd=0,
     addr=0xe6b3db38 "hÛ³æp5[À\220ò\207ÀdÛ³æ\001")
     at /usr/src/sys/netinet/ip_carp.c:1810
#27 0xc0608728 in if_setflag (ifp=0xc1b70400, flag=0, pflag=0,
     refcount=0xc1b70444, onswitch=0) at /usr/src/sys/net/if.c:1650
#28 0xc06087cb in ifpromisc (ifp=0xc1b70400, pswitch=0)
     at /usr/src/sys/net/if.c:1677
#29 0xc060296b in bpf_detachd (d=0xc20ea900) at /usr/src/sys/net/bpf.c:329
#30 0xc06048bb in bpfdetach (ifp=0xc1b70400) at /usr/src/sys/net/bpf.c:1533
#31 0xc063654c in carp_clone_destroy (ifp=0xc1b70400)
     at /usr/src/sys/netinet/ip_carp.c:454

I attached a patch which is similar to the one posted by Pawel,
it adds a softc-flag, CARP_FLAG_DYING.

	Fredrik Lindberg

--------------080400080403020101020305
Content-Type: text/plain;
 name="ip_carp.c-20050820.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="ip_carp.c-20050820.patch"

Index: ip_carp.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_carp.c,v
retrieving revision 1.30
diff -u -r1.30 ip_carp.c
--- ip_carp.c	9 Aug 2005 10:20:00 -0000	1.30
+++ ip_carp.c	20 Aug 2005 18:37:51 -0000
@@ -116,6 +116,8 @@
 	int			 sc_advbase;	/* seconds */
 	int			 sc_init_counter;
 	u_int64_t		 sc_counter;
+#define CARP_FLAG_DYING	0x01
+	int			 sc_flags;
 
 	/* authentication */
 #define CARP_HMAC_PAD	64
@@ -369,6 +371,7 @@
 	sc->sc_advskew = 0;
 	sc->sc_init_counter = 1;
 	sc->sc_naddrs = sc->sc_naddrs6 = 0; /* M_ZERO? */
+	sc->sc_flags = 0;
 #ifdef INET6
 	sc->sc_im6o.im6o_multicast_hlim = CARP_DFLTTL;
 #endif
@@ -450,6 +453,7 @@
 
 	mtx_lock(&carp_mtx);
 	LIST_REMOVE(sc, sc_next);
+	sc->sc_flags |= CARP_FLAG_DYING;
 	mtx_unlock(&carp_mtx);
 	bpfdetach(ifp);
 	if_detach(ifp);
@@ -1740,6 +1744,9 @@
 	ifa = (struct ifaddr *)addr;
 	ifra = (struct ifaliasreq *)addr;
 	ifr = (struct ifreq *)addr;
+
+	if (sc->sc_flags & CARP_FLAG_DYING)
+		return ENXIO;
 
 	switch (cmd) {
 	case SIOCSIFADDR:

--------------080400080403020101020305--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43077CE2.2070300>