crash on lagg interface destroy
Sergey Kandaurov
pluknet at freebsd.org
Thu Mar 15 07:14:16 UTC 2012
On 15 March 2012 02:48, Adarsh Joshi <adarsh.joshi at qlogic.com> wrote:
> Hello everyone,
>
> I tried to destroy a lagg interface (created using laggproto none) and I see the system crash.
>
> Steps to reproduce:
> Kldload if_lagg
> Ifconfig lagg0 create
> ifconfig lagg0 up laggproto none laggport ql0 laggport ql1 192.168.100.1 netmask 255.255.255.0
> ifconfig lagg0 destroy
>
> uname -a
> FreeBSD bsd-02 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Wed Mar 7 18:16:06 PST 2012 root at bsd-02:/usr/src/sys/amd64/compile/MYKERNEL amd64
>
> Crash:
>
> Tracing command ifconfig pid 1443 tid 100182 td 0xffffff0023358740
> Uart_z8530_class() at 0
> Ifc_simple_destroy() at Ifc_simple_destroy+0x2a
> If_clone_destroyif() at If_clone_destroyif+0xa5
> Ifioctl() at ifioctl+0x300
> Kern_ioctl() at kern_ioctl+0xa2
> Ioctl() at ioctl+0xf9
> Syscall() at syscall+0x252
> Xfast_syscall() at Xfast_syscall+0xab
> --- syscall (54, FreeBSD ELF64, ioctl), rip = 0x8008324bc, rsp = 0x7fffffffe348, rbp = 0x7ffffffffee27 ---
This is just a thought.
This thread has probably lost the race when tried to take a valid pointer
to ifnet for the given interface using ifunit() function (as done in
if_clone_destroyif()) and then is de-referencing a pointer to an already
freed memory. Since FreeBSD 8.1 this was changed to use ifunit_ref() to
protect ifnet pointer against early destroy by reference counting the ifnet
pointer. But this function doesn't exists in 7.x. If this is the case, then
this should be easily reproduced when two parallel threads are trying to
destroy the cloned interface.
So, first I'd try to upgrade to 8.1 or above.
--
wbr,
pluknet
More information about the freebsd-drivers
mailing list