Date: Fri, 16 Sep 2005 13:58:41 -0600 (MDT) From: "M. Warner Losh" <imp@bsdimp.com> To: ru@FreeBSD.org Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org, jhb@FreeBSD.org Subject: Re: cvs commit: src/sys/dev/re if_re.c Message-ID: <20050916.135841.130619528.imp@bsdimp.com> In-Reply-To: <20050916194405.GB24879@ip.net.ua> References: <20050916091928.GG88456@ip.net.ua> <20050916.090140.58827157.imp@bsdimp.com> <20050916194405.GB24879@ip.net.ua>
index | next in thread | previous in thread | raw e-mail
In message: <20050916194405.GB24879@ip.net.ua>
Ruslan Ermilov <ru@FreeBSD.org> writes:
: On Fri, Sep 16, 2005 at 09:01:40AM -0600, M. Warner Losh wrote:
: > In message: <20050916091928.GG88456@ip.net.ua>
: > Ruslan Ermilov <ru@FreeBSD.org> writes:
: > : On Thu, Sep 15, 2005 at 11:56:39PM +0300, Ruslan Ermilov wrote:
: > : > The first is the BPF detach bad interaction with foo_detach(),
: > : > as described in re_detach(). This panic is real with (I think)
: > : > all drivers. And testing IFF_DRV_RUNNING here doesn't seem to
: > : > be able to prevent the panic. Perhaps the fix would be to
: > : > move ether_ifdetach() before foo_stop() in foo_detach(), I'm
: > : > not yet sure.
: > : >
: > : I tried with rl(4) PCCARD, by moving ether_ifdetach() before
: > : rl_stop() in rl_detach(). It fixes the panic when you eject
: > : the card, but doesn't fix it when kldunloading the module.
: > : The difference is that rl_detach() is called already after
: > : miibus0 and rlphy0 has been detached when kldunloading the
: > : module. When ejecting the card, rl_detach() is called first.
: > : What happens when you kldunload the module with BPF listener
: > : attached, is that bpfdetach() calls rl_ioctl() to reset
: > : promisc, that calls rl_init_locked(), and that results in
: > :
: > : mii = device_get_softc(sc->rl_miibus);
: > :
: > : being NULL (remember the miibus has already been detached),
: > : and that panics later here:
: > :
: > : mii_mediachg(mii);
: > :
: > : When we reset IFF_UP, rl_ioctl(SIOCSIFFLAGS) silently exits
: > : and no harm is done. So the question is: how do we prevent
: > : this from happening without resetting IFF_UP. One possible
: > : solution would be to add sc->detaching, similar to
: > : sc->suspended, abd check it in rl_ioctl().
: >
: > Ugg. In ed, we check to make sure that we still have a child before
: > doing things with mii bus. A similar fix could be made.
: >
: No, ed(4) has the same problem:
:
: if (sc->miibus != NULL) {
: struct mii_data *mii;
: mii = device_get_softc(sc->miibus);
: mii_mediachg(mii);
: }
:
No it doesn't:
void
ed_child_detached(device_t dev, device_t child)
{
struct ed_softc *sc;
sc = device_get_softc(dev);
if (child == sc->miibus)
sc->miibus = NULL;
}
: The device (sc->miibus) will still be there but already detached,
: and its softc will already be freed, so "mii" will be NULL, and
: mii_mediachg(NULL) will panic the system.
sc->miibus will be NULL after the device is detached, so you don't get
an error.
How again can this happen?
Warner
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050916.135841.130619528.imp>