Re: panic: ifc_free_unit: bit is already cleared

From: Andrew Thompson <thompsa_at_freebsd.org> Date: Mon, 10 Oct 2005 15:22:08 +1300 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:45 UTC

On Mon, Oct 10, 2005 at 03:28:49AM +0400, Yar Tikhiy wrote:
> On Thu, Oct 06, 2005 at 10:09:50AM +1300, Andrew Thompson wrote:
> > On Wed, Oct 05, 2005 at 01:55:15PM -0700, Brooks Davis wrote:
> > > On Wed, Oct 05, 2005 at 10:36:39PM +0200, Pawel Jakub Dawidek wrote:
> > > > On Wed, Oct 05, 2005 at 03:49:03PM +1300, Andrew Thompson wrote:
> > > > +> Hi,
> > > > +> 
> > > > +> I have found a repeatable panic with network device cloning, unfortunatly I am
> > > > +> unable to dump on this box. This is sparc64 with a 2 day old current.
> > > > 
> > > > The order is wrong in vlan_modevent().
> > > > 
> > > > if_clone_detach() is freeing ifc_units field, so ifc_free_unit() should not
> > > > be called after that.
> > > > 
> > > > This patch should fix the problem:
> > > > 
> > > > 	http://people.freebsd.org/~pjd/patches/if_vlan.c.patch
> > > 
> > > Yes.  This does introduce a race in that a new interface could
> > > be created between the vlan_clone_destroy loop and the call to
> > > if_clone_detach.
> > 
> > I dont think this is the problem. IF_CLONE_REMREF(ifc) is freeing
> > ifc->ifc_units in if_clone_detach(). It look like the ref counting isnt
> > working quite right.
> 
> FWIW, I tried to look at the $subject problem since I had had it
> before, but just got a different panic:
> 
>         Memory modified after free 0xc140b000(4092) val=deadc0dc _at_ 0xc140b000
>         panic: Most recently used by clone
> 
> The clone code seems to have decremented something (refcount?) twice
> after freeing the memory chunk.

I have been testing this patch and I think it fixes all the problems
discussed.

It changes refcounting to count the number of cloned interfaces so
ifc_units is only freed when its safe. A new function has been added to
decrement this when a simple cloner module is unloaded. The cloner is
still detached first to prevent the race.

In most cases the change is as simple as:
                while ((sc = LIST_FIRST(&gre_softc_list)) != NULL) {
                        LIST_REMOVE(sc, sc_list);
                        mtx_unlock(&gre_mtx);
+                       ifc_simple_free(&gre_cloner, GRE2IFP(sc));
                        gre_destroy(sc);
                        mtx_lock(&gre_mtx);
                }

Andrew