Date: Fri, 16 Sep 2005 22:44:05 +0300 From: Ruslan Ermilov <ru@FreeBSD.org> To: "M. Warner Losh" <imp@bsdimp.com> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org, jhb@FreeBSD.org Subject: Re: cvs commit: src/sys/dev/re if_re.c Message-ID: <20050916194405.GB24879@ip.net.ua> In-Reply-To: <20050916.090140.58827157.imp@bsdimp.com> References: <200509151521.14204.jhb@FreeBSD.org> <20050915205639.GD88456@ip.net.ua> <20050916091928.GG88456@ip.net.ua> <20050916.090140.58827157.imp@bsdimp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--1UWUbFP1cBYEclgG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 16, 2005 at 09:01:40AM -0600, M. Warner Losh wrote: > In message: <20050916091928.GG88456@ip.net.ua> > Ruslan Ermilov <ru@FreeBSD.org> writes: > : On Thu, Sep 15, 2005 at 11:56:39PM +0300, Ruslan Ermilov wrote: > : > The first is the BPF detach bad interaction with foo_detach(), > : > as described in re_detach(). This panic is real with (I think) > : > all drivers. And testing IFF_DRV_RUNNING here doesn't seem to > : > be able to prevent the panic. Perhaps the fix would be to > : > move ether_ifdetach() before foo_stop() in foo_detach(), I'm > : > not yet sure. > : >=20 > : I tried with rl(4) PCCARD, by moving ether_ifdetach() before > : rl_stop() in rl_detach(). It fixes the panic when you eject > : the card, but doesn't fix it when kldunloading the module. > : The difference is that rl_detach() is called already after > : miibus0 and rlphy0 has been detached when kldunloading the > : module. When ejecting the card, rl_detach() is called first. > : What happens when you kldunload the module with BPF listener > : attached, is that bpfdetach() calls rl_ioctl() to reset > : promisc, that calls rl_init_locked(), and that results in > :=20 > : mii =3D device_get_softc(sc->rl_miibus); > :=20 > : being NULL (remember the miibus has already been detached), > : and that panics later here: > :=20 > : mii_mediachg(mii); > :=20 > : When we reset IFF_UP, rl_ioctl(SIOCSIFFLAGS) silently exits > : and no harm is done. So the question is: how do we prevent > : this from happening without resetting IFF_UP. One possible > : solution would be to add sc->detaching, similar to > : sc->suspended, abd check it in rl_ioctl(). >=20 > Ugg. In ed, we check to make sure that we still have a child before > doing things with mii bus. A similar fix could be made. >=20 No, ed(4) has the same problem: if (sc->miibus !=3D NULL) { struct mii_data *mii; mii =3D device_get_softc(sc->miibus); mii_mediachg(mii); } The device (sc->miibus) will still be there but already detached, and its softc will already be freed, so "mii" will be NULL, and mii_mediachg(NULL) will panic the system. xl(4), for example, also checks for "mii" to be not NULL: /* XXX Downcall to miibus. */ if (mii !=3D NULL) mii_mediachg(mii); Somehow I think it's plain incorrect to implicitly call start() after explicitly calling stop() from detach() -- except for possibly panicing the system, it also re-enables interrupts, re-schedules just cancelled callouts, etc. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --1UWUbFP1cBYEclgG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDKyCFqRfpzJluFF4RAtzYAKCI8FrGhA6bZllV0eVwrBlLPKDElgCeMncG y2MdRABLbL7BC6WsIKsggJY= =0AaR -----END PGP SIGNATURE----- --1UWUbFP1cBYEclgG--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050916194405.GB24879>