[PANIC] 6.0BETA2 in l2ping flood
Pawel Jakub Dawidek
pjd at FreeBSD.org
Sat Aug 20 16:11:10 GMT 2005
On Fri, Aug 19, 2005 at 01:17:34PM +1200, Andrew Thompson wrote:
+> On Thu, Aug 18, 2005 at 11:01:29PM +0200, Pawel Jakub Dawidek wrote:
+> > On Thu, Aug 18, 2005 at 11:18:38AM +1200, Andrew Thompson wrote:
+> > +> Interesting... I can get exactly the same panic by doing
+> > +>
+> > +> ifconfig bridge0 create
+> > +> <'tcpdump -i bridge0' on another terminal>
+> > +> ifconfig bridge0 up
+> > +> ifconfig bridge0 destroy
+> >
+> > Here, when you destroy bridge0, callout handle is also destroyed,
+> > but on detach, bpf wants to turn off promiscuous mode and call
+> > bridge_init(), because it doesn't have IFF_DRV_RUNNING flag set.
+> >
+> > bridge_init() calls callout_reset() on destroyed callout handle.
+> >
+>
+> Thanks for explaining this, you have saved me a lot of suffering.
+>
+> This patch fixes the panic on destroy, is it the correct way to solve
+> the problem? I need to commit something before 6.0.
My explanation wasn't quite right.
callout_reset() is called on a valid handle, but right after that, softc
structure if freed, so when softclock calls your function, softc is
already dead.
Here is a patch which fix it:
http://people.freebsd.org/~pjd/patches/if_bridge.c.patch
If you don't want to change bridge_softc structure size, you can also
verify in bridge_init() if the given 'sc' is on bridge_list list.
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20050820/65ca3152/attachment.bin
More information about the freebsd-current
mailing list