From owner-freebsd-bugs@FreeBSD.ORG  Mon Jan 30 15:50:03 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 628C416A420
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 30 Jan 2006 15:50:03 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C46FD43D48
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 30 Jan 2006 15:50:02 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0UFo2rk066362
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 30 Jan 2006 15:50:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0UFo2p8066361;
	Mon, 30 Jan 2006 15:50:02 GMT (envelope-from gnats)
Resent-Date: Mon, 30 Jan 2006 15:50:02 GMT
Resent-Message-Id: <200601301550.k0UFo2p8066361@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Liang Yi <liangyi571@hotmail.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3BCA716A420
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 30 Jan 2006 15:44:32 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0B77743D45
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 30 Jan 2006 15:44:32 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k0UFiV6w022185
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 30 Jan 2006 15:44:31 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k0UFiVpc022183;
	Mon, 30 Jan 2006 15:44:31 GMT (envelope-from nobody)
Message-Id: <200601301544.k0UFiVpc022183@www.freebsd.org>
Date: Mon, 30 Jan 2006 15:44:31 GMT
From: Liang Yi <liangyi571@hotmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: kern/92552: A serious bug in most network drivers from R5 to R6
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2006 15:50:03 -0000


>Number:         92552
>Category:       kern
>Synopsis:       A serious bug in most network drivers from R5 to R6
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 30 15:50:02 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Liang Yi
>Release:        Release 5.x to Release 6.x
>Organization:
LingZhou Network Inc
>Environment:
FreeBSD XXXXX 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri Jan 27 00:32:43 UTC 2006   i386
>Description:
>From Release 5, adapter will be locked while interrupt received, except if_input was called. Look at these code in if_em.c

	EM_UNLOCK(adapter);
	(*ifp->if_input)(ifp, m);
	EM_LOCK(adapter);

After if_input returned, adapter will be locked again.


These code will be ok at most time. But if you shutdown the interface under heavy load, ioctl would be called by another thread while if_input was called by interrupt thread, which will crash the system. The work flow seems like this:

"interrupt thread": lock adapter -> receive packet -> unlock adapter -> if_input -> (task switch) |
                          V
"ioctl thread": lock adapter -> shutdown interface -> release all resource for this adapter -> unlock adapter -> (task switch) |
                                                V
"interrupt thread": return from if_input -> lock adapter again -> resource not avaliable -> SYSTEM crash!


>How-To-Repeat:
Run sniffer in a heavy load env, shutdown the interface or reboot the machine, system will be crashed at most time.

>Fix:
              Add a patch to the drivers which works like above. Use another lock or some special flags to prevent other thread to call ioctl while receiving packet.

>Release-Note:
>Audit-Trail:
>Unformatted: