From owner-freebsd-bugs Sun Mar 25 11:40: 6 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id E09F337B718 for ; Sun, 25 Mar 2001 11:40:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2PJe2O42284; Sun, 25 Mar 2001 11:40:02 -0800 (PST) (envelope-from gnats) Date: Sun, 25 Mar 2001 11:40:02 -0800 (PST) Message-Id: <200103251940.f2PJe2O42284@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Ian Dowse Subject: Re: i386/26049: bug in modular vn code causes a fatal trap 12 Reply-To: Ian Dowse Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR i386/26049; it has been noted by GNATS. From: Ian Dowse To: chervarium@nove.bg Cc: freebsd-gnats-submit@FreeBSD.org, iedowse@maths.tcd.ie Subject: Re: i386/26049: bug in modular vn code causes a fatal trap 12 Date: Sun, 25 Mar 2001 20:30:38 +0100 In message <200103241152.f2OBqOh33828@freefall.freebsd.org>, chervarium@nove.bg writes: >@@ -776,6 +776,7 @@ > vnclear(vn); > free(vn, M_DEVBUF); > } >+ cdevsw_remove(&vn_cdevsw); > break; Thanks for the bug report, though it seems that this patch is not quite enough to solve the problems that occur when unloading the `vn' module after use. If you attempt to use vnconfig again after the module has been unloaded, it may appear to work, but the system could become unstable and crash somewhere else. With 'options INVARIANTS' in the kernel config file, this problem is much more obvious and the following sequence of operations will cause a crash. dd if=/dev/zero bs=1k count=100 of=/tmp/foo vnconfig -e /dev/vn0 /tmp/foo vnconfig -u /dev/vn0 kldunload vn vnconfig -e /dev/vn0 /tmp/foo The following patch, which includes the cdevsw_remove you suggested, seems to solve this. The module stores a pointer to the vn_softc in the device si_drv1 field, but this pointer will be stale if the module is unloaded and then reloaded. This patch avoids the use of this saved pointer in vnopen by forcing a full lookup. Ian Index: vn.c =================================================================== RCS file: /dump/FreeBSD-CVS/src/sys/dev/vn/Attic/vn.c,v retrieving revision 1.105.2.1 diff -u -r1.105.2.1 vn.c --- vn.c 2000/05/15 16:50:33 1.105.2.1 +++ vn.c 2001/03/25 19:09:54 @@ -177,13 +177,10 @@ struct vn_softc *vn; unit = dkunit(dev); - vn = dev->si_drv1; - if (!vn) { - SLIST_FOREACH(vn, &vn_list, sc_list) { - if (vn->sc_unit == unit) { - dev->si_drv1 = vn; - break; - } + SLIST_FOREACH(vn, &vn_list, sc_list) { + if (vn->sc_unit == unit) { + dev->si_drv1 = vn; + break; } } if (!vn) { @@ -208,9 +205,7 @@ /* * Locate preexisting device */ - - if ((vn = dev->si_drv1) == NULL) - vn = vnfindvn(dev); + vn = vnfindvn(dev); /* * Update si_bsize fields for device. This data will be overriden by @@ -776,6 +771,7 @@ vnclear(vn); free(vn, M_DEVBUF); } + cdevsw_remove(&vn_cdevsw); break; default: break; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message