From owner-freebsd-net@FreeBSD.ORG Thu Mar 15 07:14:15 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED22A1065670; Thu, 15 Mar 2012 07:14:15 +0000 (UTC) (envelope-from pluknet@gmail.com) Received: from mail-lpp01m010-f54.google.com (mail-lpp01m010-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2EA6E8FC14; Thu, 15 Mar 2012 07:14:14 +0000 (UTC) Received: by lagv3 with SMTP id v3so2958820lag.13 for ; Thu, 15 Mar 2012 00:14:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=K6XgLHNz0GkZ/ypk8akl5gg66lk+E5vk4XWn8S70TjM=; b=hQ5nttDzFNt0blCZBevFTCScfS4R9iuJ8/YS8Sa1Kln32wV/wTfelh7W4wqDwtk02z DxvgOaCE4m+Sfs0zdB7Eq2gqIFDn6PjRY5YSmAiUaP4Hm+APZWX5/CzIj9NywUp3HtPk x+oUqqS2P7wpilYAmozfKMBCNuX9BPfv0vocSMxBM230SarOr5p1S1B9RZj2a3gjyLOh MJ0xPvfHpyQXUds4Nd6skZbW8NEgMlRm2QAX8HOJippkV2zIxQ1s7kG6TrPKXLrHT/wM Od5uK2LwUjksph1PX0FpHjynfNjEJL9c0fgiyX0nfss5wWuLQ9tncb/Vsd0xDhU55Po9 1jGw== MIME-Version: 1.0 Received: by 10.152.133.68 with SMTP id pa4mr448791lab.12.1331795653878; Thu, 15 Mar 2012 00:14:13 -0700 (PDT) Sender: pluknet@gmail.com Received: by 10.152.21.73 with HTTP; Thu, 15 Mar 2012 00:14:13 -0700 (PDT) In-Reply-To: <5E4F49720D0BAD499EE1F01232234BA87438162FA4@AVEXMB1.qlogic.org> References: <5E4F49720D0BAD499EE1F01232234BA87438162FA4@AVEXMB1.qlogic.org> Date: Thu, 15 Mar 2012 10:14:13 +0300 X-Google-Sender-Auth: kl77sVak8cX0bqpPA87Le9PeBu4 Message-ID: From: Sergey Kandaurov To: Adarsh Joshi Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-net@freebsd.org" , "freebsd-drivers@freebsd.org" Subject: Re: crash on lagg interface destroy X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2012 07:14:16 -0000 On 15 March 2012 02:48, Adarsh Joshi wrote: > Hello everyone, > > I tried to destroy a lagg interface (created using laggproto none) and I = see the system crash. > > Steps to reproduce: > Kldload if_lagg > Ifconfig lagg0 create > ifconfig lagg0 up laggproto none laggport ql0 laggport ql1 192.168.100.1 = netmask 255.255.255.0 > ifconfig lagg0 destroy > > uname -a > FreeBSD bsd-02 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Wed Mar =A07 18:16:06 = PST 2012 =A0 =A0 root@bsd-02:/usr/src/sys/amd64/compile/MYKERNEL =A0amd64 > > Crash: > > Tracing command ifconfig pid 1443 tid 100182 td 0xffffff0023358740 > Uart_z8530_class() at 0 > Ifc_simple_destroy() at Ifc_simple_destroy+0x2a > If_clone_destroyif() at If_clone_destroyif+0xa5 > Ifioctl() at ifioctl+0x300 > Kern_ioctl() at kern_ioctl+0xa2 > Ioctl() at ioctl+0xf9 > Syscall() at syscall+0x252 > Xfast_syscall() at Xfast_syscall+0xab > --- syscall (54, FreeBSD ELF64, ioctl), rip =3D 0x8008324bc, rsp =3D 0x7f= ffffffe348, rbp =3D 0x7ffffffffee27 --- This is just a thought. This thread has probably lost the race when tried to take a valid pointer to ifnet for the given interface using ifunit() function (as done in if_clone_destroyif()) and then is de-referencing a pointer to an already freed memory. Since FreeBSD 8.1 this was changed to use ifunit_ref() to protect ifnet pointer against early destroy by reference counting the ifnet pointer. But this function doesn't exists in 7.x. If this is the case, then this should be easily reproduced when two parallel threads are trying to destroy the cloned interface. So, first I'd try to upgrade to 8.1 or above. --=20 wbr, pluknet