From owner-freebsd-current@FreeBSD.ORG Sun Oct 9 23:36:39 2005 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD7D616A41F; Sun, 9 Oct 2005 23:36:39 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AB2D43D45; Sun, 9 Oct 2005 23:36:38 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id 6BDFF1CCDD; Mon, 10 Oct 2005 12:36:37 +1300 (NZDT) Date: Mon, 10 Oct 2005 12:36:37 +1300 From: Andrew Thompson To: Yar Tikhiy Message-ID: <20051009233637.GA95679@heff.fud.org.nz> Mail-Followup-To: Andrew Thompson , Yar Tikhiy , Brooks Davis , Pawel Jakub Dawidek , FreeBSD Current , Brooks Davis References: <20051005024903.GA72743@heff.fud.org.nz> <20051005203639.GA20552@garage.freebsd.pl> <20051005205515.GA30350@odin.ac.hmc.edu> <20051005210950.GB75848@heff.fud.org.nz> <20051009232849.GA27349@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051009232849.GA27349@comp.chem.msu.su> User-Agent: Mutt/1.4.2.1i Cc: Brooks Davis , Pawel Jakub Dawidek , FreeBSD Current Subject: Re: panic: ifc_free_unit: bit is already cleared X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Oct 2005 23:36:39 -0000 On Mon, Oct 10, 2005 at 03:28:49AM +0400, Yar Tikhiy wrote: > On Thu, Oct 06, 2005 at 10:09:50AM +1300, Andrew Thompson wrote: > > On Wed, Oct 05, 2005 at 01:55:15PM -0700, Brooks Davis wrote: > > > On Wed, Oct 05, 2005 at 10:36:39PM +0200, Pawel Jakub Dawidek wrote: > > > > On Wed, Oct 05, 2005 at 03:49:03PM +1300, Andrew Thompson wrote: > > > > +> Hi, > > > > +> > > > > +> I have found a repeatable panic with network device cloning, unfortunatly I am > > > > +> unable to dump on this box. This is sparc64 with a 2 day old current. > > > > > > > > The order is wrong in vlan_modevent(). > > > > > > > > if_clone_detach() is freeing ifc_units field, so ifc_free_unit() should not > > > > be called after that. > > > > > > > > This patch should fix the problem: > > > > > > > > http://people.freebsd.org/~pjd/patches/if_vlan.c.patch > > > > > > Yes. This does introduce a race in that a new interface could > > > be created between the vlan_clone_destroy loop and the call to > > > if_clone_detach. > > > > I dont think this is the problem. IF_CLONE_REMREF(ifc) is freeing > > ifc->ifc_units in if_clone_detach(). It look like the ref counting isnt > > working quite right. > > FWIW, I tried to look at the $subject problem since I had had it > before, but just got a different panic: > > Memory modified after free 0xc140b000(4092) val=deadc0dc @ 0xc140b000 > panic: Most recently used by clone > > The clone code seems to have decremented something (refcount?) twice > after freeing the memory chunk. Yes, it still clears the interface bit in ifc_units in ifc_free_unit() after freeing the memory (for if_vlan and if_stf). I want to change the refcounting to count the number of cloned interfaces and have been playing with the code. The main problem is when a module is unloaded it doesnt use the if_clone* routines when destoying the interfaces in the simple_clone case. Andrew