Date: Fri, 16 Sep 2005 13:58:41 -0600 (MDT) From: "M. Warner Losh" <imp@bsdimp.com> To: ru@FreeBSD.org Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org, jhb@FreeBSD.org Subject: Re: cvs commit: src/sys/dev/re if_re.c Message-ID: <20050916.135841.130619528.imp@bsdimp.com> In-Reply-To: <20050916194405.GB24879@ip.net.ua> References: <20050916091928.GG88456@ip.net.ua> <20050916.090140.58827157.imp@bsdimp.com> <20050916194405.GB24879@ip.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
In message: <20050916194405.GB24879@ip.net.ua>
Ruslan Ermilov <ru@FreeBSD.org> writes:
: On Fri, Sep 16, 2005 at 09:01:40AM -0600, M. Warner Losh wrote:
: > In message: <20050916091928.GG88456@ip.net.ua>
: > Ruslan Ermilov <ru@FreeBSD.org> writes:
: > : On Thu, Sep 15, 2005 at 11:56:39PM +0300, Ruslan Ermilov wrote:
: > : > The first is the BPF detach bad interaction with foo_detach(),
: > : > as described in re_detach(). This panic is real with (I think)
: > : > all drivers. And testing IFF_DRV_RUNNING here doesn't seem to
: > : > be able to prevent the panic. Perhaps the fix would be to
: > : > move ether_ifdetach() before foo_stop() in foo_detach(), I'm
: > : > not yet sure.
: > : >
: > : I tried with rl(4) PCCARD, by moving ether_ifdetach() before
: > : rl_stop() in rl_detach(). It fixes the panic when you eject
: > : the card, but doesn't fix it when kldunloading the module.
: > : The difference is that rl_detach() is called already after
: > : miibus0 and rlphy0 has been detached when kldunloading the
: > : module. When ejecting the card, rl_detach() is called first.
: > : What happens when you kldunload the module with BPF listener
: > : attached, is that bpfdetach() calls rl_ioctl() to reset
: > : promisc, that calls rl_init_locked(), and that results in
: > :
: > : mii = device_get_softc(sc->rl_miibus);
: > :
: > : being NULL (remember the miibus has already been detached),
: > : and that panics later here:
: > :
: > : mii_mediachg(mii);
: > :
: > : When we reset IFF_UP, rl_ioctl(SIOCSIFFLAGS) silently exits
: > : and no harm is done. So the question is: how do we prevent
: > : this from happening without resetting IFF_UP. One possible
: > : solution would be to add sc->detaching, similar to
: > : sc->suspended, abd check it in rl_ioctl().
: >
: > Ugg. In ed, we check to make sure that we still have a child before
: > doing things with mii bus. A similar fix could be made.
: >
: No, ed(4) has the same problem:
:
: if (sc->miibus != NULL) {
: struct mii_data *mii;
: mii = device_get_softc(sc->miibus);
: mii_mediachg(mii);
: }
:
No it doesn't:
void
ed_child_detached(device_t dev, device_t child)
{
struct ed_softc *sc;
sc = device_get_softc(dev);
if (child == sc->miibus)
sc->miibus = NULL;
}
: The device (sc->miibus) will still be there but already detached,
: and its softc will already be freed, so "mii" will be NULL, and
: mii_mediachg(NULL) will panic the system.
sc->miibus will be NULL after the device is detached, so you don't get
an error.
How again can this happen?
Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050916.135841.130619528.imp>