[Bug 244247] Kernel panic due to racecondition in ng_eiface shutdown

Tue Feb 25 06:13:14 UTC 2020

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244247

Aleksandr Fedorov <aleksandr.fedorov at itglobal.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aleksandr.fedorov at itglobal.
                   |                            |com

--- Comment #10 from Aleksandr Fedorov <aleksandr.fedorov at itglobal.com> ---
It seems that there are a race in the function ng_eiface_rmnode().

613     static int
614     ng_eiface_rmnode(node_p node)
615     {
616             const priv_p priv = NG_NODE_PRIVATE(node);
617             struct ifnet *const ifp = priv->ifp;
618     
619             /*
620              * the ifnet may be in a different vnet than the netgraph node, 
621              * hence we have to change the current vnet context here.
622              */
623             CURVNET_SET_QUIET(ifp->if_vnet);
624             ifmedia_removeall(&priv->media);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Remove media


625             ether_ifdetach(ifp);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Detach interface. Remove interface from ifnet's list which protected by
WLOCK().

626             if_free(ifp);
627             CURVNET_RESTORE();
628             free_unr(V_ng_eiface_unit, priv->unit);
629             free(priv, M_NETGRAPH);
630             NG_NODE_SET_PRIVATE(node, NULL);
631             NG_NODE_UNREF(node);
632             return (0);
633     }

So, the media is already removed, but the interface is still available.

I think the order should be different, like other interfaces do:
1) Detach interface.
2) Free used resources.

Can you test the next patch:

Index: sys/netgraph/ng_eiface.c
===================================================================
--- sys/netgraph/ng_eiface.c    (revision 358308)
+++ sys/netgraph/ng_eiface.c    (working copy)
@@ -621,9 +621,9 @@
         * hence we have to change the current vnet context here.
         */
        CURVNET_SET_QUIET(ifp->if_vnet);
-       ifmedia_removeall(&priv->media);
        ether_ifdetach(ifp);
        if_free(ifp);
+       ifmedia_removeall(&priv->media);
        CURVNET_RESTORE();
        free_unr(V_ng_eiface_unit, priv->unit);
        free(priv, M_NETGRAPH);

-- 
You are receiving this mail because:
You are the assignee for the bug.
