git: 3bc40f39fd86 - main - if_free: add a comment explaining why ifindex_free() is performed here
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 23 Nov 2021 03:59:44 UTC
The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=3bc40f39fd8668f0be71ca6ee5da513054080d7d commit 3bc40f39fd8668f0be71ca6ee5da513054080d7d Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2021-11-23 03:53:12 +0000 Commit: Gleb Smirnoff <glebius@FreeBSD.org> CommitDate: 2021-11-23 03:59:27 +0000 if_free: add a comment explaining why ifindex_free() is performed here --- sys/net/if.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/sys/net/if.c b/sys/net/if.c index 3e640ebfa679..85bf7e91fe1c 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -710,6 +710,22 @@ if_free(struct ifnet *ifp) ifp->if_flags |= IFF_DYING; /* XXX: Locking */ + /* + * XXXGL: An interface index is really an alias to ifp pointer. + * Why would we clear the alias now, and not in the deferred + * context? Indeed there is nothing wrong with some network + * thread obtaining ifp via ifnet_byindex() inside the network + * epoch and then dereferencing ifp while we peform if_free(), + * and after if_free() finished, too. + * + * The reason is the VIMAGE. For some reason it was designed + * to require all sockets drained before destroying, but not all + * ifnets. A vnet destruction calls if_vmove() on ifnet, which + * causes ID change. But ID change and a possible misidentification + * of an ifnet later is a lesser problem, as it doesn't crash kernel. + * A worse problem is that removed interface may outlive the vnet it + * belongs too! The if_free_deferred() would see ifp->if_vnet freed. + */ CURVNET_SET_QUIET(ifp->if_vnet); IFNET_WLOCK(); KASSERT(ifp == ifnet_byindex(ifp->if_index),