From owner-freebsd-net@FreeBSD.ORG Fri Apr 13 16:18:17 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6F69B16A400; Fri, 13 Apr 2007 16:18:17 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28]) by mx1.freebsd.org (Postfix) with ESMTP id 30F9D13C469; Fri, 13 Apr 2007 16:18:16 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 239CC2176C7; Fri, 13 Apr 2007 12:18:26 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Fri, 13 Apr 2007 12:18:17 -0400 X-Sasl-enc: /LE+Egnj21I1h1RoZFgh3eFGYaERCuZLQudil9MzRqFT 1176481096 Received: from [192.168.123.18] (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTP id 37E1FB997; Fri, 13 Apr 2007 12:18:16 -0400 (EDT) Message-ID: <461FAD46.20509@FreeBSD.org> Date: Fri, 13 Apr 2007 17:18:14 +0100 From: "Bruce M. Simpson" User-Agent: Thunderbird 1.5.0.10 (X11/20070407) MIME-Version: 1.0 To: "Bruce M. Simpson" References: <20070412010707.GC9390@heff.fud.org.nz> <461E18F3.6000905@FreeBSD.org> In-Reply-To: <461E18F3.6000905@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Andrew Thompson Subject: Re: ipv6 multicast refcnt panic X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2007 16:18:17 -0000 I speculate that the problem you are seeing in netinet6 is due to it not freeing referenced in6_multi objects when the interface address changes or the same address is re-added, as the same bug was present in netinet. Previous to the introduction of refcounting, FreeBSD would just leak memory. Further to this: The problem Yar was seeing with vlan and pfsync, which I pointed out, was an older bug which has been progressively shuffled around the stack due to code rewrites. I have a fix for the kernel panic caused by pfsync's member interface being detached which is now checked into bms_netdev, it should probably go straight into -CURRENT. The fix is cumulative -- pfsync's detach handler is called after netinet has torn down all inet state for an instance of ifnet, therefore it should not be trying to call in_delmulti(), however it should mark the ifp as no longer valid for pfsync's use. A suggested architectural fix going forward, is to change the semantics of objects owned by the netinet and netinet6 protocol domains, such as multicast group objects, to tear down hardware state when the ifnet instance goes away, yet allow consumers elsewhere in the kernel to retain handles for such objects. This is what the lower-level net code now does for ifmultiaddr objects. if_delmulti_locked() accepts an argument which specifies whether it is being called from if_detach(). If so, hardware state is torn down, and internal structures are freed, but the object *is not* freed if its reference count is not zero as someone still holds a pointer. In plainer language: netinet and netinet6 should probably be doing the same thing as net now does, insofaras this only apples to ifmultiaddr, the same should be done for in_multi and in6_multi. Of course, it would be easier to do this if per-protocol-domain state in ifnet were e.g. moved to the if_afdata[] array currently defined in ifnet for this purpose, this is guaranteed to break the ABI. The situation in ifnet as it stands just now strikes me as one of confusion. Regards, BMS