From owner-cvs-src@FreeBSD.ORG Thu Jun 29 13:12:11 2006 Return-Path: X-Original-To: cvs-src@FreeBSD.org Delivered-To: cvs-src@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62C0916A403; Thu, 29 Jun 2006 13:12:11 +0000 (UTC) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id E453C44471; Thu, 29 Jun 2006 13:12:09 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.4/8.13.3) with ESMTP id k5TDC5rV067978; Thu, 29 Jun 2006 17:12:06 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.4/8.13.3/Submit) id k5TDC2mT067976; Thu, 29 Jun 2006 17:12:02 +0400 (MSD) (envelope-from yar) Date: Thu, 29 Jun 2006 17:12:01 +0400 From: Yar Tikhiy To: Maxim Konovalov Message-ID: <20060629131201.GA67682@comp.chem.msu.su> References: <200606290752.k5T7qU06021639@repoman.freebsd.org> <20060629132354.D73145@mp2.macomnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060629132354.D73145@mp2.macomnet.net> User-Agent: Mutt/1.5.9i Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/net if_vlan.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jun 2006 13:12:11 -0000 On Thu, Jun 29, 2006 at 01:24:56PM +0400, Maxim Konovalov wrote: > On Thu, 29 Jun 2006, 07:52-0000, Yar Tikhiy wrote: > > > yar 2006-06-29 07:52:30 UTC > > > > FreeBSD src repository > > > > Modified files: > > sys/net if_vlan.c > > Log: > > Detach the interface first, do vlan_unconfig() then. > > Previously, another thread could get a pointer to the > > interface by scanning the system-wide list and sleep > > on the global vlan mutex held by vlan_unconfig(). > > The interface was gone by the time the other thread > > woke up. > > > > In order to be able to call vlan_unconfig() on a detached > > interface, remove the purely cosmetic bzero'ing of IF_LLADDR > > from the function because a detached interface has no addresses. > > > > Noticed by: a stress-testing script by maxim > > Reviewed by: glebius > > Still no cookie :-) > > db> bt > Tracing pid 75800 tid 100098 td 0xc2b0e960 > in_control(c2a1c67c,c02069f6,c40eece0,c2e66000,c2b0e960) at in_control+0x114 > ifioctl(c2a1c67c,c02069f6,c40eece0,c2b0e960,0,...) at ifioctl+0xee > soo_ioctl(c27cb4c8,c02069f6,c40eece0,c2c04980,c2b0e960) at soo_ioctl+0x2db > ioctl(c2b0e960,d56a4d04) at ioctl+0x370 > syscall(3b,3b,3b,bfbfe2c4,0,...) at syscall+0x27e > Xint0x80_syscall() at Xint0x80_syscall+0x1f > --- syscall (54, FreeBSD ELF32, ioctl), eip = 0x2817cb43, esp = > 0xbfbfe28c, ebp = 0xbfbfe2d8 --- > > Let me know if you need more info. I stress tested gif(4) in the same manner for kicks and got a very similar panic in in_control(). I suppose that my change eliminated a concurrency problem in vlan(4) and we began to feel the lack of refcounting at ifnet level. Indeed, a thread can keep a pointer to an ifnet beyond its lifetime and panic the system on access to the dead ifnet. -- Yar