Date: Sat, 20 Aug 2005 20:56:34 +0200 From: Fredrik Lindberg <fli+freebsd-current@shapeshifter.se> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: freebsd-current@freebsd.org, rwatson@FreeBSD.org, Andrew Thompson <thompsa@freebsd.org> Subject: Re: [PANIC] 6.0BETA2 in l2ping flood Message-ID: <43077CE2.2070300@shapeshifter.se> In-Reply-To: <20050820161042.GA749@garage.freebsd.pl> References: <b0ba593005081703416d19fbf4@mail.gmail.com> <20050817231838.GA97927@heff.fud.org.nz> <20050818210128.GD18375@garage.freebsd.pl> <20050819011734.GA4206@heff.fud.org.nz> <20050820161042.GA749@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------080400080403020101020305 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Pawel Jakub Dawidek wrote: > On Fri, Aug 19, 2005 at 01:17:34PM +1200, Andrew Thompson wrote: > +> On Thu, Aug 18, 2005 at 11:01:29PM +0200, Pawel Jakub Dawidek wrote: > +> > On Thu, Aug 18, 2005 at 11:18:38AM +1200, Andrew Thompson wrote: > +> > +> Interesting... I can get exactly the same panic by doing > +> > +> > +> > +> ifconfig bridge0 create > +> > +> <'tcpdump -i bridge0' on another terminal> > +> > +> ifconfig bridge0 up > +> > +> ifconfig bridge0 destroy > +> > > +> > Here, when you destroy bridge0, callout handle is also destroyed, > +> > but on detach, bpf wants to turn off promiscuous mode and call > +> > bridge_init(), because it doesn't have IFF_DRV_RUNNING flag set. > +> > > +> > bridge_init() calls callout_reset() on destroyed callout handle. > +> > > +> > +> Thanks for explaining this, you have saved me a lot of suffering. > +> > +> This patch fixes the panic on destroy, is it the correct way to solve > +> the problem? I need to commit something before 6.0. > > My explanation wasn't quite right. > > callout_reset() is called on a valid handle, but right after that, softc > structure if freed, so when softclock calls your function, softc is > already dead. > > Here is a patch which fix it: > > http://people.freebsd.org/~pjd/patches/if_bridge.c.patch > > If you don't want to change bridge_softc structure size, you can also > verify in bridge_init() if the given 'sc' is on bridge_list list. > There is a smiliar issue with ip_carp, you can panic your system with ifconfig create carp0 itconfig carp0 vhid 1 pass foo 192.168.0.1/24 tcpdump -i carp0 <switch term> ifconfig destroy carp0 #25 0xc057e086 in _mtx_lock_flags (m=0x10, opts=0, file=0xc07cb579 "/usr/src/sys/netinet/ip_carp.c", line=1810) at /usr/src/sys/kern/kern_mutex.c:268 #26 0xc06394d3 in carp_ioctl (ifp=0x0, cmd=0, addr=0xe6b3db38 "hÛ³æp5[À\220ò\207ÀdÛ³æ\001") at /usr/src/sys/netinet/ip_carp.c:1810 #27 0xc0608728 in if_setflag (ifp=0xc1b70400, flag=0, pflag=0, refcount=0xc1b70444, onswitch=0) at /usr/src/sys/net/if.c:1650 #28 0xc06087cb in ifpromisc (ifp=0xc1b70400, pswitch=0) at /usr/src/sys/net/if.c:1677 #29 0xc060296b in bpf_detachd (d=0xc20ea900) at /usr/src/sys/net/bpf.c:329 #30 0xc06048bb in bpfdetach (ifp=0xc1b70400) at /usr/src/sys/net/bpf.c:1533 #31 0xc063654c in carp_clone_destroy (ifp=0xc1b70400) at /usr/src/sys/netinet/ip_carp.c:454 I attached a patch which is similar to the one posted by Pawel, it adds a softc-flag, CARP_FLAG_DYING. Fredrik Lindberg --------------080400080403020101020305 Content-Type: text/plain; name="ip_carp.c-20050820.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ip_carp.c-20050820.patch" Index: ip_carp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_carp.c,v retrieving revision 1.30 diff -u -r1.30 ip_carp.c --- ip_carp.c 9 Aug 2005 10:20:00 -0000 1.30 +++ ip_carp.c 20 Aug 2005 18:37:51 -0000 @@ -116,6 +116,8 @@ int sc_advbase; /* seconds */ int sc_init_counter; u_int64_t sc_counter; +#define CARP_FLAG_DYING 0x01 + int sc_flags; /* authentication */ #define CARP_HMAC_PAD 64 @@ -369,6 +371,7 @@ sc->sc_advskew = 0; sc->sc_init_counter = 1; sc->sc_naddrs = sc->sc_naddrs6 = 0; /* M_ZERO? */ + sc->sc_flags = 0; #ifdef INET6 sc->sc_im6o.im6o_multicast_hlim = CARP_DFLTTL; #endif @@ -450,6 +453,7 @@ mtx_lock(&carp_mtx); LIST_REMOVE(sc, sc_next); + sc->sc_flags |= CARP_FLAG_DYING; mtx_unlock(&carp_mtx); bpfdetach(ifp); if_detach(ifp); @@ -1740,6 +1744,9 @@ ifa = (struct ifaddr *)addr; ifra = (struct ifaliasreq *)addr; ifr = (struct ifreq *)addr; + + if (sc->sc_flags & CARP_FLAG_DYING) + return ENXIO; switch (cmd) { case SIOCSIFADDR: --------------080400080403020101020305--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43077CE2.2070300>