From owner-freebsd-current@FreeBSD.ORG Mon Apr 19 01:36:28 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 648A016A4CE for ; Mon, 19 Apr 2004 01:36:28 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CC4043D67 for ; Mon, 19 Apr 2004 01:36:28 -0700 (PDT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i3J8aRgd091569; Mon, 19 Apr 2004 01:36:27 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i3J8aRQt091568; Mon, 19 Apr 2004 01:36:27 -0700 (PDT) (envelope-from rizzo) Date: Mon, 19 Apr 2004 01:36:27 -0700 From: Luigi Rizzo To: Andreas Kohn Message-ID: <20040419013627.A88297@xorpc.icir.org> References: <1082303878.855.6.camel@klamath.syndrom23.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1082303878.855.6.camel@klamath.syndrom23.de>; from andreas.kohn@gmx.net on Sun, Apr 18, 2004 at 05:57:58PM +0200 cc: current@freebsd.org Subject: Re: Page fault in rt_newaddrmsg on gif0 destruction X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2004 08:36:28 -0000 Ok i understand what is going on (thanks for the very detailed report, btw) -- basically the code was trying to use ifadd_byindex() after the information had been destroyed. I think the attached patch (basically mving a block of code down in if_detach) should fix the problem. Actually I believe this particular chunk of code should be moved even further down, possibly right before the final IF_AFDATA_UNLOCK(), because you cannot tell, a-priori, what information on the device the lower level routines expect to use, so zeroing the ifindex_table[] or calling destroy_dev() too early is probably a bug. If you can try it (in the proposed form, or moving it at the end of if_detach) and let me khow how it works for you, i can commit the fix. cheers luigi On Sun, Apr 18, 2004 at 05:57:58PM +0200, Andreas Kohn wrote: > Hello, > > since I updated kernel + world two days ago, I get a reproducible panic > on system shutdown. It seems to happen when gif0 is destroyed. > Is there anything I could do to help debugging this problem? > > Regards, > Andreas Kohn Index: if.c =================================================================== RCS file: /home/ncvs/src/sys/net/if.c,v retrieving revision 1.189 diff -u -r1.189 if.c --- if.c 18 Apr 2004 18:59:44 -0000 1.189 +++ if.c 19 Apr 2004 08:31:49 -0000 @ -520,17 +520,6 @@ if_detach(struct ifnet *ifp) s = splnet(); if_down(ifp); - /* - * Remove address from ifindex_table[] and maybe decrement if_index. - * Clean up all addresses. - */ - ifaddr_byindex(ifp->if_index) = NULL; - destroy_dev(ifdev_byindex(ifp->if_index)); - ifdev_byindex(ifp->if_index) = NULL; - - while (if_index > 0 && ifaddr_byindex(if_index) == NULL) - if_index--; - for (ifa = TAILQ_FIRST(&ifp->if_addrhead); ifa; ifa = next) { next = TAILQ_NEXT(ifa, ifa_link); @@ -570,6 +559,17 @@ */ in6_ifdetach(ifp); #endif + /* + * Remove address from ifindex_table[] and maybe decrement if_index. + * Clean up all addresses. + */ + ifaddr_byindex(ifp->if_index) = NULL; + destroy_dev(ifdev_byindex(ifp->if_index)); + ifdev_byindex(ifp->if_index) = NULL; + + while (if_index > 0 && ifaddr_byindex(if_index) == NULL) + if_index--; + /* We can now free link ifaddr. */ ifa = TAILQ_FIRST(&ifp->if_addrhead);