From owner-freebsd-current@FreeBSD.ORG  Sat Jul 21 21:08:01 2007
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 80EF416A417;
	Sat, 21 Jul 2007 21:08:01 +0000 (UTC)
	(envelope-from thompsa@FreeBSD.org)
Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz
	[203.109.251.39])
	by mx1.freebsd.org (Postfix) with ESMTP id 1DCE213C461;
	Sat, 21 Jul 2007 21:08:01 +0000 (UTC)
	(envelope-from thompsa@FreeBSD.org)
Received: by heff.fud.org.nz (Postfix, from userid 1001)
	id 781E91CC58; Sun, 22 Jul 2007 09:07:59 +1200 (NZST)
Date: Sun, 22 Jul 2007 09:07:59 +1200
From: Andrew Thompson <thompsa@FreeBSD.org>
To: Attilio Rao <attilio@FreeBSD.org>
Message-ID: <20070721210759.GA84580@heff.fud.org.nz>
References: <200707211925.59698.dfr@rabson.org> <46A252C3.5050804@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <46A252C3.5050804@FreeBSD.org>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: current@freebsd.org
Subject: Re: if_bridge crash
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jul 2007 21:08:01 -0000

On Sat, Jul 21, 2007 at 08:38:59PM +0200, Attilio Rao wrote:
> Doug Rabson wrote:
> >I've been using if_bridge and if_tap to join various qemu virtual 
> >machines onto my local network. I use this script to set up the bridge:
> >
> >	ifconfig bridge0 create
> >	ifconfig tap0 create
> >	ifconfig bridge0 addm vr0 addm tap0 up
> >
> >I had forgotten what stupid mac address qemu had made up for its 
> >interface and I needed to adjust my dhcpd config so I typed 'ifconfig 
> >bridge addr' to list the addresses on the bridge and got an instant 
> >panic. Qemu was not running at this point. The kernel address where it 
> >crashed was good - it was the userland address which faulted.
> >
> >The crash was in generic_copyout+0x36 called from bridge_ioctl+0x1ae. I 
> >took a look at the code and as far as I can make out, trap() got a bit 
> >confused and managed to ignore the pcb_onfault marker left by copyout. 
> >Its hard to tell exactly what happened since the damn compiler has 
> >optimised the crap out of the code there.
> >
> >As far as I can see, the bridge code is calling copyout with a mutex 
> >held. Is that allowed? It doesn't sound like it should be allowed but 
> >I'm not quite up-to-date on that aspect of the current kernel api.
> 
> Since a copyout() can generate a page fault (which can let the thread 
> sleep) it is not allowed to mantain neither a blockable lock (mutex, 
> rwlock) or a spinlock over a copyout.


Please test this patch.


cheers,
Andrew