Re: [PANIC] 6.0BETA2 in l2ping flood

From: Andrew Thompson <thompsa_at_freebsd.org> Date: Fri, 19 Aug 2005 13:17:34 +1200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:41 UTC

On Thu, Aug 18, 2005 at 11:01:29PM +0200, Pawel Jakub Dawidek wrote:
> On Thu, Aug 18, 2005 at 11:18:38AM +1200, Andrew Thompson wrote:
> +> Interesting... I can get exactly the same panic by doing
> +> 
> +>  ifconfig bridge0 create
> +>   <'tcpdump -i bridge0' on another terminal>
> +>  ifconfig bridge0 up
> +>  ifconfig bridge0 destroy
> 
> Here, when you destroy bridge0, callout handle is also destroyed,
> but on detach, bpf wants to turn off promiscuous mode and call
> bridge_init(), because it doesn't have IFF_DRV_RUNNING flag set.
> 
> bridge_init() calls callout_reset() on destroyed callout handle.
> 

Thanks for explaining this, you have saved me a lot of suffering.

This patch fixes the panic on destroy, is it the correct way to solve
the problem? I need to commit something before 6.0.

thanks again,

Andrew

Index: if.h
===================================================================
RCS file: /home/ncvs/src/sys/net/if.h,v
retrieving revision 1.98
diff -u -p -r1.98 if.h
--- if.h	9 Aug 2005 12:56:20 -0000	1.98
+++ if.h	18 Aug 2005 22:41:58 -0000
_at__at_ -153,6 +153,7 _at__at_ struct if_data {
 #define	IFF_MONITOR	0x40000		/* (n) user-requested monitor mode */
 #define	IFF_STATICARP	0x80000		/* (n) static ARP */
 #define	IFF_NEEDSGIANT	0x100000	/* (i) hold Giant over if_start calls */
+#define IFF_DRV_DYING	0x200000	/* (d) interface removal is imminent */

 /*
  * Old names for driver flags so that user space tools can continue to use
Index: if_bridge.c
===================================================================
RCS file: /home/ncvs/src/sys/net/if_bridge.c,v
retrieving revision 1.17
diff -u -p -r1.17 if_bridge.c
--- if_bridge.c	15 Aug 2005 02:50:13 -0000	1.17
+++ if_bridge.c	18 Aug 2005 22:41:58 -0000
_at__at_ -496,6 +496,7 _at__at_ bridge_clone_destroy(struct ifnet *ifp)
 	while ((bif = LIST_FIRST(&sc->sc_iflist)) != NULL)
 		bridge_delete_member(sc, bif);

+	ifp->if_drv_flags |= IFF_DRV_DYING;
 	BRIDGE_UNLOCK(sc);

 	mtx_lock(&bridge_list_mtx);
_at__at_ -1209,7 +1210,8 _at__at_ bridge_init(void *xsc)
 	struct bridge_softc *sc = (struct bridge_softc *)xsc;
 	struct ifnet *ifp = sc->sc_ifp;

-	if (ifp->if_drv_flags & IFF_DRV_RUNNING)
+	if (ifp->if_drv_flags & IFF_DRV_RUNNING ||
+	    ifp->if_drv_flags & IFF_DRV_DYING)
 		return;

 	callout_reset(&sc->sc_brcallout, bridge_rtable_prune_period * hz,