Date: Thu, 15 Mar 2012 10:14:13 +0300 From: Sergey Kandaurov <pluknet@freebsd.org> To: Adarsh Joshi <adarsh.joshi@qlogic.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, "freebsd-drivers@freebsd.org" <freebsd-drivers@freebsd.org> Subject: Re: crash on lagg interface destroy Message-ID: <CAE-mSO%2BwQwm5LJEbBXM%2BzTzavzDe2sb0aGdZyQ13mwyJYCO4zg@mail.gmail.com> In-Reply-To: <5E4F49720D0BAD499EE1F01232234BA87438162FA4@AVEXMB1.qlogic.org> References: <5E4F49720D0BAD499EE1F01232234BA87438162FA4@AVEXMB1.qlogic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15 March 2012 02:48, Adarsh Joshi <adarsh.joshi@qlogic.com> wrote: > Hello everyone, > > I tried to destroy a lagg interface (created using laggproto none) and I = see the system crash. > > Steps to reproduce: > Kldload if_lagg > Ifconfig lagg0 create > ifconfig lagg0 up laggproto none laggport ql0 laggport ql1 192.168.100.1 = netmask 255.255.255.0 > ifconfig lagg0 destroy > > uname -a > FreeBSD bsd-02 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Wed Mar =A07 18:16:06 = PST 2012 =A0 =A0 root@bsd-02:/usr/src/sys/amd64/compile/MYKERNEL =A0amd64 > > Crash: > > Tracing command ifconfig pid 1443 tid 100182 td 0xffffff0023358740 > Uart_z8530_class() at 0 > Ifc_simple_destroy() at Ifc_simple_destroy+0x2a > If_clone_destroyif() at If_clone_destroyif+0xa5 > Ifioctl() at ifioctl+0x300 > Kern_ioctl() at kern_ioctl+0xa2 > Ioctl() at ioctl+0xf9 > Syscall() at syscall+0x252 > Xfast_syscall() at Xfast_syscall+0xab > --- syscall (54, FreeBSD ELF64, ioctl), rip =3D 0x8008324bc, rsp =3D 0x7f= ffffffe348, rbp =3D 0x7ffffffffee27 --- This is just a thought. This thread has probably lost the race when tried to take a valid pointer to ifnet for the given interface using ifunit() function (as done in if_clone_destroyif()) and then is de-referencing a pointer to an already freed memory. Since FreeBSD 8.1 this was changed to use ifunit_ref() to protect ifnet pointer against early destroy by reference counting the ifnet pointer. But this function doesn't exists in 7.x. If this is the case, then this should be easily reproduced when two parallel threads are trying to destroy the cloned interface. So, first I'd try to upgrade to 8.1 or above. --=20 wbr, pluknet
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE-mSO%2BwQwm5LJEbBXM%2BzTzavzDe2sb0aGdZyQ13mwyJYCO4zg>