On Fri, Aug 19, 2005 at 01:17:34PM +1200, Andrew Thompson wrote: +> On Thu, Aug 18, 2005 at 11:01:29PM +0200, Pawel Jakub Dawidek wrote: +> > On Thu, Aug 18, 2005 at 11:18:38AM +1200, Andrew Thompson wrote: +> > +> Interesting... I can get exactly the same panic by doing +> > +> +> > +> ifconfig bridge0 create +> > +> <'tcpdump -i bridge0' on another terminal> +> > +> ifconfig bridge0 up +> > +> ifconfig bridge0 destroy +> > +> > Here, when you destroy bridge0, callout handle is also destroyed, +> > but on detach, bpf wants to turn off promiscuous mode and call +> > bridge_init(), because it doesn't have IFF_DRV_RUNNING flag set. +> > +> > bridge_init() calls callout_reset() on destroyed callout handle. +> > +> +> Thanks for explaining this, you have saved me a lot of suffering. +> +> This patch fixes the panic on destroy, is it the correct way to solve +> the problem? I need to commit something before 6.0. My explanation wasn't quite right. callout_reset() is called on a valid handle, but right after that, softc structure if freed, so when softclock calls your function, softc is already dead. Here is a patch which fix it: http://people.freebsd.org/~pjd/patches/if_bridge.c.patch If you don't want to change bridge_softc structure size, you can also verify in bridge_init() if the given 'sc' is on bridge_list list. -- Pawel Jakub Dawidek http://www.wheel.pl pjd_at_FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am!
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:41 UTC