From owner-freebsd-current@FreeBSD.ORG Mon Oct 10 20:29:42 2005 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00AB816A41F; Mon, 10 Oct 2005 20:29:42 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FC0D43D45; Mon, 10 Oct 2005 20:29:41 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id j9AKT3Wj013537; Mon, 10 Oct 2005 13:29:03 -0700 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id j9AKT0C2013534; Mon, 10 Oct 2005 13:29:00 -0700 Date: Mon, 10 Oct 2005 13:29:00 -0700 From: Brooks Davis To: Andrew Thompson , Yar Tikhiy , Brooks Davis , Pawel Jakub Dawidek , FreeBSD Current Message-ID: <20051010202900.GA24213@odin.ac.hmc.edu> References: <20051005024903.GA72743@heff.fud.org.nz> <20051005203639.GA20552@garage.freebsd.pl> <20051005205515.GA30350@odin.ac.hmc.edu> <20051005210950.GB75848@heff.fud.org.nz> <20051009232849.GA27349@comp.chem.msu.su> <20051010022208.GA97249@heff.fud.org.nz> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline In-Reply-To: <20051010022208.GA97249@heff.fud.org.nz> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu Cc: Subject: Re: panic: ifc_free_unit: bit is already cleared X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2005 20:29:42 -0000 --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 10, 2005 at 03:22:08PM +1300, Andrew Thompson wrote: > On Mon, Oct 10, 2005 at 03:28:49AM +0400, Yar Tikhiy wrote: > > On Thu, Oct 06, 2005 at 10:09:50AM +1300, Andrew Thompson wrote: > > > On Wed, Oct 05, 2005 at 01:55:15PM -0700, Brooks Davis wrote: > > > > On Wed, Oct 05, 2005 at 10:36:39PM +0200, Pawel Jakub Dawidek wrote: > > > > > On Wed, Oct 05, 2005 at 03:49:03PM +1300, Andrew Thompson wrote: > > > > > +> Hi, > > > > > +>=20 > > > > > +> I have found a repeatable panic with network device cloning, u= nfortunatly I am > > > > > +> unable to dump on this box. This is sparc64 with a 2 day old c= urrent. > > > > >=20 > > > > > The order is wrong in vlan_modevent(). > > > > >=20 > > > > > if_clone_detach() is freeing ifc_units field, so ifc_free_unit() = should not > > > > > be called after that. > > > > >=20 > > > > > This patch should fix the problem: > > > > >=20 > > > > > http://people.freebsd.org/~pjd/patches/if_vlan.c.patch > > > >=20 > > > > Yes. This does introduce a race in that a new interface could > > > > be created between the vlan_clone_destroy loop and the call to > > > > if_clone_detach. > > >=20 > > > I dont think this is the problem. IF_CLONE_REMREF(ifc) is freeing > > > ifc->ifc_units in if_clone_detach(). It look like the ref counting is= nt > > > working quite right. > >=20 > > FWIW, I tried to look at the $subject problem since I had had it > > before, but just got a different panic: > >=20 > > Memory modified after free 0xc140b000(4092) val=3Ddeadc0dc @ 0x= c140b000 > > panic: Most recently used by clone > >=20 > > The clone code seems to have decremented something (refcount?) twice > > after freeing the memory chunk. >=20 > I have been testing this patch and I think it fixes all the problems > discussed. >=20 > It changes refcounting to count the number of cloned interfaces so > ifc_units is only freed when its safe. A new function has been added to > decrement this when a simple cloner module is unloaded. The cloner is > still detached first to prevent the race. >=20 > In most cases the change is as simple as: > while ((sc =3D LIST_FIRST(&gre_softc_list)) !=3D NULL) { > LIST_REMOVE(sc, sc_list); > mtx_unlock(&gre_mtx); > + ifc_simple_free(&gre_cloner, GRE2IFP(sc)); > gre_destroy(sc); > mtx_lock(&gre_mtx); > } I don't see any reason why you can't just replace the specific destroy calls with calls to ifc_simple_destroy(). That would avoid expanding the API. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDSs8KXY6L6fI4GtQRAmjtAKDOxlkwTTaexr6+bn9eB8YOGNf73QCgpdFd 7mBpxyzCuPlmPVYbpVtT2e0= =rBSt -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7--