Date: Mon, 10 Oct 2005 12:36:37 +1300 From: Andrew Thompson <thompsa@freebsd.org> To: Yar Tikhiy <yar@comp.chem.msu.su> Cc: Brooks Davis <brooks@freebsd.org>, Pawel Jakub Dawidek <pjd@freebsd.org>, FreeBSD Current <current@freebsd.org> Subject: Re: panic: ifc_free_unit: bit is already cleared Message-ID: <20051009233637.GA95679@heff.fud.org.nz> In-Reply-To: <20051009232849.GA27349@comp.chem.msu.su> References: <20051005024903.GA72743@heff.fud.org.nz> <20051005203639.GA20552@garage.freebsd.pl> <20051005205515.GA30350@odin.ac.hmc.edu> <20051005210950.GB75848@heff.fud.org.nz> <20051009232849.GA27349@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 10, 2005 at 03:28:49AM +0400, Yar Tikhiy wrote: > On Thu, Oct 06, 2005 at 10:09:50AM +1300, Andrew Thompson wrote: > > On Wed, Oct 05, 2005 at 01:55:15PM -0700, Brooks Davis wrote: > > > On Wed, Oct 05, 2005 at 10:36:39PM +0200, Pawel Jakub Dawidek wrote: > > > > On Wed, Oct 05, 2005 at 03:49:03PM +1300, Andrew Thompson wrote: > > > > +> Hi, > > > > +> > > > > +> I have found a repeatable panic with network device cloning, unfortunatly I am > > > > +> unable to dump on this box. This is sparc64 with a 2 day old current. > > > > > > > > The order is wrong in vlan_modevent(). > > > > > > > > if_clone_detach() is freeing ifc_units field, so ifc_free_unit() should not > > > > be called after that. > > > > > > > > This patch should fix the problem: > > > > > > > > http://people.freebsd.org/~pjd/patches/if_vlan.c.patch > > > > > > Yes. This does introduce a race in that a new interface could > > > be created between the vlan_clone_destroy loop and the call to > > > if_clone_detach. > > > > I dont think this is the problem. IF_CLONE_REMREF(ifc) is freeing > > ifc->ifc_units in if_clone_detach(). It look like the ref counting isnt > > working quite right. > > FWIW, I tried to look at the $subject problem since I had had it > before, but just got a different panic: > > Memory modified after free 0xc140b000(4092) val=deadc0dc @ 0xc140b000 > panic: Most recently used by clone > > The clone code seems to have decremented something (refcount?) twice > after freeing the memory chunk. Yes, it still clears the interface bit in ifc_units in ifc_free_unit() after freeing the memory (for if_vlan and if_stf). I want to change the refcounting to count the number of cloned interfaces and have been playing with the code. The main problem is when a module is unloaded it doesnt use the if_clone* routines when destoying the interfaces in the simple_clone case. Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051009233637.GA95679>