From owner-freebsd-bugs  Mon Jan 22 09:23:11 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id JAA28737
          for bugs-outgoing; Mon, 22 Jan 1996 09:23:11 -0800 (PST)
Received: from Root.COM (implode.Root.COM [198.145.90.17])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id JAA28727
          for <bugs@freebsd.org>; Mon, 22 Jan 1996 09:23:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by Root.COM (8.6.12/8.6.5) with SMTP id JAA16138; Mon, 22 Jan 1996 09:22:56 -0800
Message-Id: <199601221722.JAA16138@Root.COM>
X-Authentication-Warning: implode.Root.COM: Host localhost didn't use HELO protocol
To: Denis Fortin <fortinde@dmr.ca>
cc: bugs@freebsd.org, fortin@acm.org
Subject: Re: 2.0.5 crashes daily: multiple frees is if_ppp.c -> more info 
In-reply-to: Your message of "Mon, 22 Jan 1996 09:58:56 EST."
             <199601221458.JAA03015@poterne.mtl.dmr.ca> 
From: David Greenman <davidg@Root.COM>
Reply-To: davidg@Root.COM
Date: Mon, 22 Jan 1996 09:22:56 -0800
Sender: owner-bugs@freebsd.org
Precedence: bulk

>	I've just done a send-pr to describe a problem that we're having
>that is causing our internet gateway to crash almost daily.	The
>problem appears to be in /sys/net/if_ppp.c and be caused by "Multiple frees".

   You shoulod upgrade to 2.1-stable. There have been a variety of bugs fixed
that directly relate to problems like this. The most important:

RCS file: /home/ncvs/src/sys/i386/include/spl.h,v
...
revision 1.12
date: 1995/10/30 17:01:37;  author: bde;  state: Exp;  lines: +7 -3
Mask netisrs during softtty isrs.  This may fix PR 798.  SLIP and PPP
line discipline interrupt handlers more or less expect to be called at
spltty() == splimp(), although they have internal splimp()s that are
bogus if this expectation is satisfied.  They are called at splsoftty()
from many tty drivers, so they were not protected from being reentered
from their own netisrs.  They certainly don't expect that but are
apparently remarkably robust if it occurs.  The problem in PR 798 seems
to be caused by pppstart() being reentered and finishing off the output
in progress by following the (stale) sc->sc_outm pointer.  Then the
original pppstart() finds garbage in m2 after MFREE(m, m2).  slstart()
doesn't have internal state like sc_outm so reentry of it probably only
causes out of order and dropped packets.


   ...which is likely the cause of your problem.

-DG

David Greenman
Core Team/Principal Architect, The FreeBSD Project