Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Feb 2020 06:13:12 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 244247] Kernel panic due to racecondition in ng_eiface shutdown
Message-ID:  <bug-244247-7501-BJWa5Ja4Es@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-244247-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-244247-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D244247

Aleksandr Fedorov <aleksandr.fedorov@itglobal.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aleksandr.fedorov@itglobal.
                   |                            |com

--- Comment #10 from Aleksandr Fedorov <aleksandr.fedorov@itglobal.com> ---
It seems that there are a race in the function ng_eiface_rmnode().

613     static int
614     ng_eiface_rmnode(node_p node)
615     {
616             const priv_p priv =3D NG_NODE_PRIVATE(node);
617             struct ifnet *const ifp =3D priv->ifp;
618=20=20=20=20=20
619             /*
620              * the ifnet may be in a different vnet than the netgraph n=
ode,=20
621              * hence we have to change the current vnet context here.
622              */
623             CURVNET_SET_QUIET(ifp->if_vnet);
624             ifmedia_removeall(&priv->media);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Remove media


625             ether_ifdetach(ifp);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Detach interface. Remove interface from ifnet's list which protected by
WLOCK().

626             if_free(ifp);
627             CURVNET_RESTORE();
628             free_unr(V_ng_eiface_unit, priv->unit);
629             free(priv, M_NETGRAPH);
630             NG_NODE_SET_PRIVATE(node, NULL);
631             NG_NODE_UNREF(node);
632             return (0);
633     }

So, the media is already removed, but the interface is still available.

I think the order should be different, like other interfaces do:
1) Detach interface.
2) Free used resources.

Can you test the next patch:

Index: sys/netgraph/ng_eiface.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/netgraph/ng_eiface.c    (revision 358308)
+++ sys/netgraph/ng_eiface.c    (working copy)
@@ -621,9 +621,9 @@
         * hence we have to change the current vnet context here.
         */
        CURVNET_SET_QUIET(ifp->if_vnet);
-       ifmedia_removeall(&priv->media);
        ether_ifdetach(ifp);
        if_free(ifp);
+       ifmedia_removeall(&priv->media);
        CURVNET_RESTORE();
        free_unr(V_ng_eiface_unit, priv->unit);
        free(priv, M_NETGRAPH);

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-244247-7501-BJWa5Ja4Es>