From owner-freebsd-net@FreeBSD.ORG  Sat Jan 12 07:00:06 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 311E416A417
	for <freebsd-net@hub.freebsd.org>; Sat, 12 Jan 2008 07:00:06 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 2A81013C442
	for <freebsd-net@hub.freebsd.org>; Sat, 12 Jan 2008 07:00:06 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0C7057t007261
	for <freebsd-net@freefall.freebsd.org>; Sat, 12 Jan 2008 07:00:05 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0C705JI007260;
	Sat, 12 Jan 2008 07:00:05 GMT (envelope-from gnats)
Date: Sat, 12 Jan 2008 07:00:05 GMT
Message-Id: <200801120700.m0C705JI007260@freefall.freebsd.org>
To: freebsd-net@FreeBSD.org
From: KUROSAWA Takahiro <fwkg7679@mb.infoweb.ne.jp>
Cc: 
Subject: Re: kern/116837: ifconfig tunX destroy: panic
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: KUROSAWA Takahiro <fwkg7679@mb.infoweb.ne.jp>
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jan 2008 07:00:06 -0000

The following reply was made to PR kern/116837; it has been noted by GNATS.

From: KUROSAWA Takahiro <fwkg7679@mb.infoweb.ne.jp>
To: bug-followup@FreeBSD.org, jkpyvxmzsa@mailinator.com
Cc:  
Subject: Re: kern/116837: ifconfig tunX destroy: panic
Date: Sat, 12 Jan 2008 15:48:39 +0900

 The KASSERT() check in tun_destroy() seems incorrect
 since the function can actually be called while
 a user thread is opening /dev/tunX.  If we needed to
 ensure that no threads have fd for /dev/tunX in
 tun_destroy(), we should implement it in if_tun.
 
 Instead, we can rely on destroy_dev() to ensure that
 no threads access /dev/tunX anymore (the function
 blocks when there are threads accessing the device).
 But just deleting KASSERT() is insufficient because
 there is a race condition: tun_destroy() calls
 if_free() before destroy_dev(), so user threads might
 access the destroyed ifnet structure by read()/write()/...
 on /dev/tunX.
 
 I guess the following change is needed for if_tun.c:
 
 --- sys/net/if_tun.c	2008/01/11 04:14:11	1.1
 +++ sys/net/if_tun.c	2008/01/12 04:04:39
 @@ -249,15 +249,12 @@ tun_destroy(struct tun_softc *tp)
  {
  	struct cdev *dev;
  
 -	/* Unlocked read. */
 -	KASSERT((tp->tun_flags & TUN_OPEN) == 0,
 -	    ("tununits is out of sync - unit %d", TUN2IFP(tp)->if_dunit));
 -
  	dev = tp->tun_dev;
 +	/* destroy_dev() ensures no threads access /dev/tunX anymore. */
 +	destroy_dev(dev);
  	bpfdetach(TUN2IFP(tp));
  	if_detach(TUN2IFP(tp));
  	if_free(TUN2IFP(tp));
 -	destroy_dev(dev);
  	knlist_destroy(&tp->tun_rsel.si_note);
  	mtx_destroy(&tp->tun_mtx);
  	free(tp, M_TUN);