From owner-freebsd-current@FreeBSD.ORG Sat Aug 20 18:56:42 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 296B916A41F; Sat, 20 Aug 2005 18:56:42 +0000 (GMT) (envelope-from fli+freebsd-current@shapeshifter.se) Received: from mx1.h3q.net (manticore.shapeshifter.se [212.37.5.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65BEE43D46; Sat, 20 Aug 2005 18:56:41 +0000 (GMT) (envelope-from fli+freebsd-current@shapeshifter.se) Received: from localhost (localhost [127.0.0.1]) by mx1.h3q.net (Postfix) with ESMTP id CA89D1A73B; Sat, 20 Aug 2005 20:56:36 +0200 (CEST) Received: from mx1.h3q.net ([127.0.0.1]) by localhost (manticore.shapeshifter.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 73444-03; Sat, 20 Aug 2005 20:56:35 +0200 (CEST) Received: from [192.168.0.100] (h4n2fls31o270.telia.com [217.208.199.4]) by mx1.h3q.net (Postfix) with ESMTP id E128D1A717; Sat, 20 Aug 2005 20:56:34 +0200 (CEST) Message-ID: <43077CE2.2070300@shapeshifter.se> Date: Sat, 20 Aug 2005 20:56:34 +0200 From: Fredrik Lindberg User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050816) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <20050817231838.GA97927@heff.fud.org.nz> <20050818210128.GD18375@garage.freebsd.pl> <20050819011734.GA4206@heff.fud.org.nz> <20050820161042.GA749@garage.freebsd.pl> In-Reply-To: <20050820161042.GA749@garage.freebsd.pl> Content-Type: multipart/mixed; boundary="------------080400080403020101020305" X-Virus-Scanned: at mail.hamnpolare.net Cc: freebsd-current@freebsd.org, rwatson@FreeBSD.org, Andrew Thompson Subject: Re: [PANIC] 6.0BETA2 in l2ping flood X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Aug 2005 18:56:42 -0000 This is a multi-part message in MIME format. --------------080400080403020101020305 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Pawel Jakub Dawidek wrote: > On Fri, Aug 19, 2005 at 01:17:34PM +1200, Andrew Thompson wrote: > +> On Thu, Aug 18, 2005 at 11:01:29PM +0200, Pawel Jakub Dawidek wrote: > +> > On Thu, Aug 18, 2005 at 11:18:38AM +1200, Andrew Thompson wrote: > +> > +> Interesting... I can get exactly the same panic by doing > +> > +> > +> > +> ifconfig bridge0 create > +> > +> <'tcpdump -i bridge0' on another terminal> > +> > +> ifconfig bridge0 up > +> > +> ifconfig bridge0 destroy > +> > > +> > Here, when you destroy bridge0, callout handle is also destroyed, > +> > but on detach, bpf wants to turn off promiscuous mode and call > +> > bridge_init(), because it doesn't have IFF_DRV_RUNNING flag set. > +> > > +> > bridge_init() calls callout_reset() on destroyed callout handle. > +> > > +> > +> Thanks for explaining this, you have saved me a lot of suffering. > +> > +> This patch fixes the panic on destroy, is it the correct way to solve > +> the problem? I need to commit something before 6.0. > > My explanation wasn't quite right. > > callout_reset() is called on a valid handle, but right after that, softc > structure if freed, so when softclock calls your function, softc is > already dead. > > Here is a patch which fix it: > > http://people.freebsd.org/~pjd/patches/if_bridge.c.patch > > If you don't want to change bridge_softc structure size, you can also > verify in bridge_init() if the given 'sc' is on bridge_list list. > There is a smiliar issue with ip_carp, you can panic your system with ifconfig create carp0 itconfig carp0 vhid 1 pass foo 192.168.0.1/24 tcpdump -i carp0 ifconfig destroy carp0 #25 0xc057e086 in _mtx_lock_flags (m=0x10, opts=0, file=0xc07cb579 "/usr/src/sys/netinet/ip_carp.c", line=1810) at /usr/src/sys/kern/kern_mutex.c:268 #26 0xc06394d3 in carp_ioctl (ifp=0x0, cmd=0, addr=0xe6b3db38 "hÛ³æp5[À\220ò\207ÀdÛ³æ\001") at /usr/src/sys/netinet/ip_carp.c:1810 #27 0xc0608728 in if_setflag (ifp=0xc1b70400, flag=0, pflag=0, refcount=0xc1b70444, onswitch=0) at /usr/src/sys/net/if.c:1650 #28 0xc06087cb in ifpromisc (ifp=0xc1b70400, pswitch=0) at /usr/src/sys/net/if.c:1677 #29 0xc060296b in bpf_detachd (d=0xc20ea900) at /usr/src/sys/net/bpf.c:329 #30 0xc06048bb in bpfdetach (ifp=0xc1b70400) at /usr/src/sys/net/bpf.c:1533 #31 0xc063654c in carp_clone_destroy (ifp=0xc1b70400) at /usr/src/sys/netinet/ip_carp.c:454 I attached a patch which is similar to the one posted by Pawel, it adds a softc-flag, CARP_FLAG_DYING. Fredrik Lindberg --------------080400080403020101020305 Content-Type: text/plain; name="ip_carp.c-20050820.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ip_carp.c-20050820.patch" Index: ip_carp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_carp.c,v retrieving revision 1.30 diff -u -r1.30 ip_carp.c --- ip_carp.c 9 Aug 2005 10:20:00 -0000 1.30 +++ ip_carp.c 20 Aug 2005 18:37:51 -0000 @@ -116,6 +116,8 @@ int sc_advbase; /* seconds */ int sc_init_counter; u_int64_t sc_counter; +#define CARP_FLAG_DYING 0x01 + int sc_flags; /* authentication */ #define CARP_HMAC_PAD 64 @@ -369,6 +371,7 @@ sc->sc_advskew = 0; sc->sc_init_counter = 1; sc->sc_naddrs = sc->sc_naddrs6 = 0; /* M_ZERO? */ + sc->sc_flags = 0; #ifdef INET6 sc->sc_im6o.im6o_multicast_hlim = CARP_DFLTTL; #endif @@ -450,6 +453,7 @@ mtx_lock(&carp_mtx); LIST_REMOVE(sc, sc_next); + sc->sc_flags |= CARP_FLAG_DYING; mtx_unlock(&carp_mtx); bpfdetach(ifp); if_detach(ifp); @@ -1740,6 +1744,9 @@ ifa = (struct ifaddr *)addr; ifra = (struct ifaliasreq *)addr; ifr = (struct ifreq *)addr; + + if (sc->sc_flags & CARP_FLAG_DYING) + return ENXIO; switch (cmd) { case SIOCSIFADDR: --------------080400080403020101020305--