From owner-freebsd-arch@FreeBSD.ORG  Thu Oct  7 19:30:43 2004
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: freebsd-arch@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5D99D16A4CE
	for <freebsd-arch@freebsd.org>; Thu,  7 Oct 2004 19:30:43 +0000 (GMT)
Received: from athena.softcardsystems.com (mail.softcardsystems.com
	[12.34.136.114])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1C4A243D1D
	for <freebsd-arch@freebsd.org>; Thu,  7 Oct 2004 19:30:43 +0000 (GMT)
	(envelope-from sah@softcardsystems.com)
Received: from athena (athena [12.34.136.114])i97KTOoF028006
	for <freebsd-arch@freebsd.org>; Thu, 7 Oct 2004 15:29:24 -0500
Date: Thu, 7 Oct 2004 15:29:24 -0500 (EST)
From: Sam <sah@softcardsystems.com>
X-X-Sender: sah@athena
To: freebsd-arch@freebsd.org
Message-ID: <Pine.LNX.4.60.0410071517280.27949@athena>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: sys/net/netisr.c
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussion related to FreeBSD architecture
	<freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2004 19:30:43 -0000

Hello -

I think I've found a bug in -- and have a question about
the overall stability of -- sys/net/netisr.c (5.2.1 branch).

My AoE module calls netisr_register on load, netisr_unregister
on unload.  Netisr_unregister fails to clear the ni->ni_queue
pointer and the next received frame gets queued up to a page
fault.  Pretty easy to fix:

--- src/sys/net/netisr.c        Sat Nov  8 17:28:39 2003
+++ src2/sys/net/netisr.c       Thu Oct  7 15:03:39 2004
@@ -103,6 +103,7 @@
         ni->ni_handler = NULL;
         if (ni->ni_queue != NULL)
                 IF_DRAIN(ni->ni_queue);
+       ni->ni_queue = NULL;
  }

  struct isrstat {

Looking at the code, though, I don't see why I can't
cause something just as ugly to happen anyway.  Suppose
the following: cpu0 starts processing an inbound frame
while cpu1 unloads module (calling netisr_unregister).
It *seems* possible for cpu0 to get a pointer to the
queue, then cpu1 unload the module completely, causing
cpu0 to page fault on the queue address.

I don't claim to understand the context in which
netisr_dispatch is called, so perhaps I'm off base,
but shouldn't there be a mutex protecting against this?

Please prove me wrong.

Sam