From owner-freebsd-current@FreeBSD.ORG Fri Aug 19 01:17:37 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3539316A41F; Fri, 19 Aug 2005 01:17:37 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz [60.234.149.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9846643D45; Fri, 19 Aug 2005 01:17:36 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id E2B941CCD4; Fri, 19 Aug 2005 13:17:34 +1200 (NZST) Date: Fri, 19 Aug 2005 13:17:34 +1200 From: Andrew Thompson To: Pawel Jakub Dawidek Message-ID: <20050819011734.GA4206@heff.fud.org.nz> References: <20050817231838.GA97927@heff.fud.org.nz> <20050818210128.GD18375@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050818210128.GD18375@garage.freebsd.pl> User-Agent: Mutt/1.4.2.1i Cc: freebsd-current@freebsd.org, rwatson@FreeBSD.org Subject: Re: [PANIC] 6.0BETA2 in l2ping flood X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2005 01:17:37 -0000 On Thu, Aug 18, 2005 at 11:01:29PM +0200, Pawel Jakub Dawidek wrote: > On Thu, Aug 18, 2005 at 11:18:38AM +1200, Andrew Thompson wrote: > +> Interesting... I can get exactly the same panic by doing > +> > +> ifconfig bridge0 create > +> <'tcpdump -i bridge0' on another terminal> > +> ifconfig bridge0 up > +> ifconfig bridge0 destroy > > Here, when you destroy bridge0, callout handle is also destroyed, > but on detach, bpf wants to turn off promiscuous mode and call > bridge_init(), because it doesn't have IFF_DRV_RUNNING flag set. > > bridge_init() calls callout_reset() on destroyed callout handle. > Thanks for explaining this, you have saved me a lot of suffering. This patch fixes the panic on destroy, is it the correct way to solve the problem? I need to commit something before 6.0. thanks again, Andrew Index: if.h =================================================================== RCS file: /home/ncvs/src/sys/net/if.h,v retrieving revision 1.98 diff -u -p -r1.98 if.h --- if.h 9 Aug 2005 12:56:20 -0000 1.98 +++ if.h 18 Aug 2005 22:41:58 -0000 @@ -153,6 +153,7 @@ struct if_data { #define IFF_MONITOR 0x40000 /* (n) user-requested monitor mode */ #define IFF_STATICARP 0x80000 /* (n) static ARP */ #define IFF_NEEDSGIANT 0x100000 /* (i) hold Giant over if_start calls */ +#define IFF_DRV_DYING 0x200000 /* (d) interface removal is imminent */ /* * Old names for driver flags so that user space tools can continue to use Index: if_bridge.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_bridge.c,v retrieving revision 1.17 diff -u -p -r1.17 if_bridge.c --- if_bridge.c 15 Aug 2005 02:50:13 -0000 1.17 +++ if_bridge.c 18 Aug 2005 22:41:58 -0000 @@ -496,6 +496,7 @@ bridge_clone_destroy(struct ifnet *ifp) while ((bif = LIST_FIRST(&sc->sc_iflist)) != NULL) bridge_delete_member(sc, bif); + ifp->if_drv_flags |= IFF_DRV_DYING; BRIDGE_UNLOCK(sc); mtx_lock(&bridge_list_mtx); @@ -1209,7 +1210,8 @@ bridge_init(void *xsc) struct bridge_softc *sc = (struct bridge_softc *)xsc; struct ifnet *ifp = sc->sc_ifp; - if (ifp->if_drv_flags & IFF_DRV_RUNNING) + if (ifp->if_drv_flags & IFF_DRV_RUNNING || + ifp->if_drv_flags & IFF_DRV_DYING) return; callout_reset(&sc->sc_brcallout, bridge_rtable_prune_period * hz,