[PANIC] 6.0BETA2 in l2ping flood

Pawel Jakub Dawidek pjd at FreeBSD.org
Sat Aug 20 16:11:10 GMT 2005

On Fri, Aug 19, 2005 at 01:17:34PM +1200, Andrew Thompson wrote:
+> On Thu, Aug 18, 2005 at 11:01:29PM +0200, Pawel Jakub Dawidek wrote:
+> > On Thu, Aug 18, 2005 at 11:18:38AM +1200, Andrew Thompson wrote:
+> > +> Interesting... I can get exactly the same panic by doing
+> > +> 
+> > +>  ifconfig bridge0 create
+> > +>   <'tcpdump -i bridge0' on another terminal>
+> > +>  ifconfig bridge0 up
+> > +>  ifconfig bridge0 destroy
+> > 
+> > Here, when you destroy bridge0, callout handle is also destroyed,
+> > but on detach, bpf wants to turn off promiscuous mode and call
+> > bridge_init(), because it doesn't have IFF_DRV_RUNNING flag set.
+> > 
+> > bridge_init() calls callout_reset() on destroyed callout handle.
+> > 
+> Thanks for explaining this, you have saved me a lot of suffering.
+> This patch fixes the panic on destroy, is it the correct way to solve
+> the problem? I need to commit something before 6.0.

My explanation wasn't quite right.

callout_reset() is called on a valid handle, but right after that, softc
structure if freed, so when softclock calls your function, softc is
already dead.

Here is a patch which fix it:


If you don't want to change bridge_softc structure size, you can also
verify in bridge_init() if the given 'sc' is on bridge_list list.

Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20050820/65ca3152/attachment.bin

More information about the freebsd-current mailing list