Date: Sat, 12 Jan 2008 07:00:05 GMT From: KUROSAWA Takahiro <fwkg7679@mb.infoweb.ne.jp> To: freebsd-net@FreeBSD.org Subject: Re: kern/116837: ifconfig tunX destroy: panic Message-ID: <200801120700.m0C705JI007260@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/116837; it has been noted by GNATS. From: KUROSAWA Takahiro <fwkg7679@mb.infoweb.ne.jp> To: bug-followup@FreeBSD.org, jkpyvxmzsa@mailinator.com Cc: Subject: Re: kern/116837: ifconfig tunX destroy: panic Date: Sat, 12 Jan 2008 15:48:39 +0900 The KASSERT() check in tun_destroy() seems incorrect since the function can actually be called while a user thread is opening /dev/tunX. If we needed to ensure that no threads have fd for /dev/tunX in tun_destroy(), we should implement it in if_tun. Instead, we can rely on destroy_dev() to ensure that no threads access /dev/tunX anymore (the function blocks when there are threads accessing the device). But just deleting KASSERT() is insufficient because there is a race condition: tun_destroy() calls if_free() before destroy_dev(), so user threads might access the destroyed ifnet structure by read()/write()/... on /dev/tunX. I guess the following change is needed for if_tun.c: --- sys/net/if_tun.c 2008/01/11 04:14:11 1.1 +++ sys/net/if_tun.c 2008/01/12 04:04:39 @@ -249,15 +249,12 @@ tun_destroy(struct tun_softc *tp) { struct cdev *dev; - /* Unlocked read. */ - KASSERT((tp->tun_flags & TUN_OPEN) == 0, - ("tununits is out of sync - unit %d", TUN2IFP(tp)->if_dunit)); - dev = tp->tun_dev; + /* destroy_dev() ensures no threads access /dev/tunX anymore. */ + destroy_dev(dev); bpfdetach(TUN2IFP(tp)); if_detach(TUN2IFP(tp)); if_free(TUN2IFP(tp)); - destroy_dev(dev); knlist_destroy(&tp->tun_rsel.si_note); mtx_destroy(&tp->tun_mtx); free(tp, M_TUN);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200801120700.m0C705JI007260>