From nobody@FreeBSD.org  Sun Jan 25 11:30:38 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 653001065673
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Jan 2009 11:30:38 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 51AC48FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Jan 2009 11:30:38 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n0PBUcQF077106
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Jan 2009 11:30:38 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n0PBUcWo077105;
	Sun, 25 Jan 2009 11:30:38 GMT
	(envelope-from nobody)
Message-Id: <200901251130.n0PBUcWo077105@www.freebsd.org>
Date: Sun, 25 Jan 2009 11:30:38 GMT
From: Semenchuk Oleg <darkibot@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [netgraph][pf] kernel panic trap 12 on user connect to VPN server
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         130977
>Category:       kern
>Synopsis:       [netgraph][pf] kernel panic trap 12 on user connect to VPN server
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-pf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 25 11:40:01 UTC 2009
>Closed-Date:    Mon Apr 13 23:34:46 UTC 2009
>Last-Modified:  Mon Apr 13 23:34:46 UTC 2009
>Originator:     Semenchuk Oleg
>Release:        7.0 Release, 7.1 Release, 7.1 Stable
>Organization:
NTU
>Environment:
# uname -v
FreeBSD 7.1-STABLE #0: Sat Jan 24 16:17:10 EET 2009 root@srv.subnet.ntu.priv:/usr/src/sys/i386/compile/GENERIC
>Description:
Kernel goes to panic, when user connects to VPN server (based on mpd) or started mpd. Problem is not looks like mpd software bug, same was reproduced with default ppp. In case not load pf.ko - it's not reproduced.

Note: bug is not looks like hardware problem, due to reproduceability 100% on different hardware


loaded modules:
______________________________________
#kldstat 
Id Refs Address    Size     Name 
 1   11 0xc0400000 9a7f34   kernel 
 2    1 0xc0da8000 4674     ng_bridge.ko 
 3    7 0xc0dad000 d89c     netgraph.ko 
 4    1 0xc0dbb000 3df8     ng_ether.ko 
 5    1 0xc0dbf000 6a45c    acpi.ko 
 6    1 0xc23f2000 33000    pf.ko 
 7    1 0xc2583000 4000     ng_socket.ko 
 8    1 0xc25c9000 5000     ng_ksocket.ko 
 9    1 0xc26f6000 3000     ng_iface.ko 
10    1 0xc26fd000 7000     ng_ppp.ko 
______________________________________



kernel dump:
______________________________________
# kgdb /boot/kernel/kernel.symbols /var/crash/vmcore.1
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...


Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x2000200
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc23fd630
stack pointer           = 0x28:0xcd0f6a80
frame pointer           = 0x28:0xcd0f6ab8
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 3110 (mpd4)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 8h36m1s
Physical memory: 243 MB
Dumping 38 MB: 23 7

Reading symbols from /boot/kernel/ng_bridge.ko...Reading symbols from /boot/kernel/ng_bridge.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_bridge.ko
Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from /boot/kernel/netgraph.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/netgraph.ko
Reading symbols from /boot/kernel/ng_ether.ko...Reading symbols from /boot/kernel/ng_ether.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_ether.ko
Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/acpi.ko
Reading symbols from /boot/kernel/pf.ko...Reading symbols from /boot/kernel/pf.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/pf.ko
Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from /boot/kernel/ng_socket.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_socket.ko
Reading symbols from /boot/kernel/ng_ksocket.ko...Reading symbols from /boot/kernel/ng_ksocket.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_ksocket.ko
Reading symbols from /boot/kernel/ng_iface.ko...Reading symbols from /boot/kernel/ng_iface.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_iface.ko
Reading symbols from /boot/kernel/ng_ppp.ko...Reading symbols from /boot/kernel/ng_ppp.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_ppp.ko
Reading symbols from /boot/kernel/ng_pptpgre.ko...Reading symbols from /boot/kernel/ng_pptpgre.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/ng_pptpgre.ko
#0  doadump () at pcpu.h:196
196     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) list *0xc23fd630
0xc23fd630 is in pfi_instance_add (/usr/src/sys/modules/pf/../../contrib/pf/net/pf_if.c:579).
574             int              net2, af;
575
576             if (ifp == NULL)
577                     return;
578             TAILQ_FOREACH(ia, &ifp->if_addrlist, ifa_list) {
579                     if (ia->ifa_addr == NULL)
580                             continue;
581                     af = ia->ifa_addr->sa_family;
582                     if (af != AF_INET && af != AF_INET6)
583                             continue;
(kgdb) backtrace
#0  doadump () at pcpu.h:196
#1  0xc079a427 in boot (howto=260) at ../../../kern/kern_shutdown.c:418
#2  0xc079a6f9 in panic (fmt=Variable "fmt" is not available.
) at ../../../kern/kern_shutdown.c:574
#3  0xc0aac6bc in trap_fatal (frame=0xcd0f6a40, eva=33554944) at ../../../i386/i386/trap.c:939
#4  0xc0aac940 in trap_pfault (frame=0xcd0f6a40, usermode=0, eva=33554944) at ../../../i386/i386/trap.c:852
#5  0xc0aad2fc in trap (frame=0xcd0f6a40) at ../../../i386/i386/trap.c:530
#6  0xc0a9317b in calltrap () at ../../../i386/i386/exception.s:159
#7  0xc23fd630 in pfi_instance_add (ifp=0xc2288000, net=128, flags=0)
    at /usr/src/sys/modules/pf/../../contrib/pf/net/pf_if.c:578
#8  0xc23fd933 in pfi_table_update (kt=0xc243f000, kif=0xc2379600, net=128, flags=0)
    at /usr/src/sys/modules/pf/../../contrib/pf/net/pf_if.c:561
#9  0xc23fdbca in pfi_dynaddr_update (dyn=0xc243de74) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf_if.c:543
#10 0xc23fdc1d in pfi_kif_update (kif=0xc2379600) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf_if.c:520
#11 0xc23fdc44 in pfi_kif_update (kif=0xc26e7e00) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf_if.c:525
#12 0xc23fdcb4 in pfi_ifaddr_event (arg=0x0, ifp=0xc2287400) at /usr/src/sys/modules/pf/../../contrib/pf/net/pf_if.c:942
#13 0xc086ff3c in in_control (so=0xc23d4680, cmd=2151704858, data=0xc24cea40 "ng0", ifp=0xc2287400, td=0xc26e6230)
    at ../../../netinet/in.c:460
#14 0xc0833a3d in ifioctl (so=0xc23d4680, cmd=2151704858, data=0xc24cea40 "ng0", td=0xc26e6230) at ../../../net/if.c:1952
#15 0xc07d85aa in soo_ioctl (fp=0xc23832ac, cmd=2151704858, data=0xc24cea40, active_cred=0xc2651500, td=0xc26e6230)
    at ../../../kern/sys_socket.c:191
#16 0xc07d1395 in kern_ioctl (td=0xc26e6230, fd=36, com=2151704858, data=0xc24cea40 "ng0") at file.h:268
#17 0xc07d14f4 in ioctl (td=0xc26e6230, uap=0xcd0f6cfc) at ../../../kern/sys_generic.c:570
#18 0xc0aacc95 in syscall (frame=0xcd0f6d38) at ../../../i386/i386/trap.c:1090
#19 0xc0a931e0 in Xint0x80_syscall () at ../../../i386/i386/exception.s:255
#20 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
______________________________________
>How-To-Repeat:
1. install OS
2. cvsup to 7.0 Release
3. install mpd3 or mpd4 or mpd5
4. create any config for PPTP or PPPoE connections (1 or 2)
5. start mpd daemon
6. connect to VPN server
7. create config for PF with NAT
8. load pf module ( kldload pf )
9. load pf rules from created config ( pfctl -f /etc/pf.conf )
10. enable pf ( pfctl -e )

ACR:
kernel panic
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jan 25 20:33:47 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130977 

From: Oleg S <darkibot@gmail.com>
To: bug-followup@FreeBSD.org, darkibot@gmail.com
Cc:  
Subject: Re: kern/130977: [netgraph][pf] kernel panic trap 12 on user connect 
	to VPN server
Date: Sun, 15 Feb 2009 22:25:05 +0200

 More detailed:
 in pf firewall should be rule like:
 pass in quick proto tcp from any to (self) port 25 flags S/SA keep state
 
 
 e.g. system crash in case in firewall present '(self)' macro

From: Mikolaj Golub <to.my.trociny@gmail.com>
To: bug-followup@FreeBSD.org,darkibot@gmail.com
Cc:  
Subject: Re: kern/130977: [netgraph][pf] kernel panic trap 12 on user connect to VPN server
Date: Fri, 10 Apr 2009 14:42:59 +0300

 The problem here (as in kern/131310 and may be in some other reports) is that
 net/if.c:if_attach() when attaching interface adds it to default group ALL
 calling if_addgroup(ifp, IFG_ALL). But when interface is removed (in this case
 ng, but the same thing occurs for other interfaces too, e.g. I checked it for
 tap) the reference to it does not removed from ifgl_group.ifg_members list.
 
 The simple test can be used to confirm this:
 
 1) add interface (e.g. starting mpd);
 
 2) run kgdb and find reference to ng interface in the list 
 ifnet.tqh_first.if_groups->tqh_first.ifgl_group.ifg_members
 
 E.g. in my case it is:
 
 (kgdb) p *ifnet.tqh_first.if_groups->tqh_first.ifgl_group.ifg_members.tqh_first.ifgm_next.tqe_next.ifgm_next.tqe_next.ifgm_next.tqe_next.ifgm_ifp
 $1 = {if_softc = 0xc4e180c0, if_l2com = 0x0, if_link = {tqe_next = 0x0, tqe_prev = 0xc4264808}, 
   if_xname = "ng0", '\0' <repeats 12 times>, if_dname = 0xc4bd60d9 "ng", if_dunit = 0, if_addrhead = {
     tqh_first = 0xc4ba4e00, tqh_last = 0xc4ba4e60}, if_klist = {kl_list = {slh_first = 0x0}, 
     kl_lock = 0xc07abb00 <knlist_mtx_lock>, kl_unlock = 0xc07abb30 <knlist_mtx_unlock>, 
 ...
 
 3) remove ng interface (e.g. stopping mpd). Check that in the list
 ifnet.tqh_first.if_groups->tqh_first.ifgl_group.ifg_members we still have the reference
 to already removed interface:
 
 (kgdb) p *ifnet.tqh_first.if_groups->tqh_first.ifgl_group.ifg_members.tqh_first.ifgm_next.tqe_next.ifgm_next.tqe_next.ifgm_next.tqe_next.ifgm_ifp
 $2 = {if_softc = 0xdeadc0de, if_l2com = 0xdeadc0de, if_link = {tqe_next = 0xdeadc0de, tqe_prev = 0xdeadc0de}, 
   if_xname = "", if_dname = 0xdeadc0de <Error reading address 0xdeadc0de: Bad address>, 
   if_dunit = -559038242, if_addrhead = {tqh_first = 0xdeadc0de, tqh_last = 0xdeadc0de}, if_klist = {kl_list = {
       slh_first = 0xdeadc0de}, kl_lock = 0xdeadc0de, kl_unlock = 0xdeadc0de, kl_locked = 0xdeadc0de, 
 
 If you repeat this process many times you will have the long least of invalid ifgm_ifp references.
 
 pf traverses the list ifnet.tqh_first.if_groups->tqh_first.ifgl_group.ifg_members in  
 pfi_table_update and calls pfi_instance_add() with nonvalid ifgm_ifp argument
 and the system panics trying to access invalid memory.
 
 I don't know if this correct solution but adding if_delgroup(ifp, IFG_ALL) to 
 sys/net/if.c:if_detach() fixes the problem for me.
 
 --- sys/net/if.c.orig   2009-04-01 10:53:55.000000000 +0300
 +++ sys/net/if.c        2009-04-10 12:38:14.000000000 +0300
 @@ -846,6 +846,7 @@ if_detach(struct ifnet *ifp)
         mtx_destroy(&ifp->if_snd.ifq_mtx);
         IF_AFDATA_DESTROY(ifp);
         splx(s);
 +       if_delgroup(ifp, IFG_ALL);
  }
  
  /*
 
 -- 
 Mikolaj Golub

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/130977: commit references a PR
Date: Fri, 10 Apr 2009 14:42:01 +0000 (UTC)

 Author: mlaier
 Date: Fri Apr 10 14:41:51 2009
 New Revision: 190895
 URL: http://svn.freebsd.org/changeset/base/190895
 
 Log:
   Remove interfaces from IFG_ALL on detach.  This cures a couple of pf panics
   when using the "self" keyword in tables or as ()-style host address and
   fixes "ifconfig -g all" output.
   
   PR:		kern/130977, kern/131310
   Submitted by:	Mikolaj Golub
   MFC after:	3 days
 
 Modified:
   head/sys/net/if.c
 
 Modified: head/sys/net/if.c
 ==============================================================================
 --- head/sys/net/if.c	Fri Apr 10 14:24:12 2009	(r190894)
 +++ head/sys/net/if.c	Fri Apr 10 14:41:51 2009	(r190895)
 @@ -887,6 +887,7 @@ if_detach(struct ifnet *ifp)
  	rt_ifannouncemsg(ifp, IFAN_DEPARTURE);
  	EVENTHANDLER_INVOKE(ifnet_departure_event, ifp);
  	devctl_notify("IFNET", ifp->if_xname, "DETACH", NULL);
 +	if_delgroup(ifp, IFG_ALL);
  
  	IF_AFDATA_LOCK(ifp);
  	for (dp = domains; dp; dp = dp->dom_next) {
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/130977: commit references a PR
Date: Fri, 10 Apr 2009 19:16:28 +0000 (UTC)

 Author: mlaier
 Date: Fri Apr 10 19:16:14 2009
 New Revision: 190903
 URL: http://svn.freebsd.org/changeset/base/190903
 
 Log:
   Follow up for r190895  It's not only the "all" group that is affected, but
   all groups on the given interface.
   
   PR:		kern/130977, kern/131310
   MFC after:	3 days (%vnet)
 
 Modified:
   head/sys/net/if.c
 
 Modified: head/sys/net/if.c
 ==============================================================================
 --- head/sys/net/if.c	Fri Apr 10 18:46:46 2009	(r190902)
 +++ head/sys/net/if.c	Fri Apr 10 19:16:14 2009	(r190903)
 @@ -141,6 +141,7 @@ static int	if_delmulti_locked(struct ifn
  static void	do_link_state_change(void *, int);
  static int	if_getgroup(struct ifgroupreq *, struct ifnet *);
  static int	if_getgroupmembers(struct ifgroupreq *);
 +static void	if_delgroups(struct ifnet *);
  
  #ifdef INET6
  /*
 @@ -887,7 +888,7 @@ if_detach(struct ifnet *ifp)
  	rt_ifannouncemsg(ifp, IFAN_DEPARTURE);
  	EVENTHANDLER_INVOKE(ifnet_departure_event, ifp);
  	devctl_notify("IFNET", ifp->if_xname, "DETACH", NULL);
 -	if_delgroup(ifp, IFG_ALL);
 +	if_delgroups(ifp);
  
  	IF_AFDATA_LOCK(ifp);
  	for (dp = domains; dp; dp = dp->dom_next) {
 @@ -1025,6 +1026,54 @@ if_delgroup(struct ifnet *ifp, const cha
  }
  
  /*
 + * Remove an interface from all groups
 + */
 +static void
 +if_delgroups(struct ifnet *ifp)
 +{
 +	INIT_VNET_NET(ifp->if_vnet);
 +	struct ifg_list		*ifgl;
 +	struct ifg_member	*ifgm;
 +	char groupname[IFNAMSIZ];
 +
 +	IFNET_WLOCK();
 +	while (!TAILQ_EMPTY(&ifp->if_groups)) {
 +		ifgl = TAILQ_FIRST(&ifp->if_groups);
 +
 +		strlcpy(groupname, ifgl->ifgl_group->ifg_group, IFNAMSIZ);
 +
 +		IF_ADDR_LOCK(ifp);
 +		TAILQ_REMOVE(&ifp->if_groups, ifgl, ifgl_next);
 +		IF_ADDR_UNLOCK(ifp);
 +
 +		TAILQ_FOREACH(ifgm, &ifgl->ifgl_group->ifg_members, ifgm_next)
 +			if (ifgm->ifgm_ifp == ifp)
 +				break;
 +
 +		if (ifgm != NULL) {
 +			TAILQ_REMOVE(&ifgl->ifgl_group->ifg_members, ifgm,
 +			    ifgm_next);
 +			free(ifgm, M_TEMP);
 +		}
 +
 +		if (--ifgl->ifgl_group->ifg_refcnt == 0) {
 +			TAILQ_REMOVE(&V_ifg_head, ifgl->ifgl_group, ifg_next);
 +			EVENTHANDLER_INVOKE(group_detach_event,
 +			    ifgl->ifgl_group);
 +			free(ifgl->ifgl_group, M_TEMP);
 +		}
 +		IFNET_WUNLOCK();
 +
 +		free(ifgl, M_TEMP);
 +
 +		EVENTHANDLER_INVOKE(group_change_event, groupname);
 +
 +		IFNET_WLOCK();
 +	}
 +	IFNET_WUNLOCK();
 +}
 +
 +/*
   * Stores all groups from an interface in memory pointed
   * to by data
   */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: Max Laier <max@love2party.net>
To: bug-followup@freebsd.org,
 darkibot@gmail.com
Cc:  
Subject: Re: kern/130977: [netgraph][pf] kernel panic trap 12 on user connect to VPN server
Date: Sat, 11 Apr 2009 01:11:54 +0100

 --Boundary-00=_LB+3JRWytgyQ4AY
 Content-Type: text/plain;
   charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 Here is the MFC patch - if possible, please try and report back.
 
 -- 
   Max
 
 --Boundary-00=_LB+3JRWytgyQ4AY
 Content-Type: text/x-patch;
   charset="ISO-8859-1";
   name="mfc.ifg.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename="mfc.ifg.patch"
 
 Index: sys/net/if.c
 ===================================================================
 --- sys/net/if.c	(revision 190905)
 +++ sys/net/if.c	(working copy)
 @@ -128,6 +128,7 @@
  static void	do_link_state_change(void *, int);
  static int	if_getgroup(struct ifgroupreq *, struct ifnet *);
  static int	if_getgroupmembers(struct ifgroupreq *);
 +static void	if_delgroups(struct ifnet *);
  #ifdef INET6
  /*
   * XXX: declare here to avoid to include many inet6 related files..
 @@ -828,6 +829,7 @@
  	rt_ifannouncemsg(ifp, IFAN_DEPARTURE);
  	EVENTHANDLER_INVOKE(ifnet_departure_event, ifp);
  	devctl_notify("IFNET", ifp->if_xname, "DETACH", NULL);
 +	if_delgroups(ifp);
  
  	IF_AFDATA_LOCK(ifp);
  	for (dp = domains; dp; dp = dp->dom_next) {
 @@ -963,6 +965,53 @@
  }
  
  /*
 + * Remove an interface from all groups
 + */
 +static void
 +if_delgroups(struct ifnet *ifp)
 +{
 +	struct ifg_list		*ifgl;
 +	struct ifg_member	*ifgm;
 +	char groupname[IFNAMSIZ];
 +
 +	IFNET_WLOCK();
 +	while (!TAILQ_EMPTY(&ifp->if_groups)) {
 +		ifgl = TAILQ_FIRST(&ifp->if_groups);
 +
 +		strlcpy(groupname, ifgl->ifgl_group->ifg_group, IFNAMSIZ);
 +
 +		IF_ADDR_LOCK(ifp);
 +		TAILQ_REMOVE(&ifp->if_groups, ifgl, ifgl_next);
 +		IF_ADDR_UNLOCK(ifp);
 +
 +		TAILQ_FOREACH(ifgm, &ifgl->ifgl_group->ifg_members, ifgm_next)
 +			if (ifgm->ifgm_ifp == ifp)
 +				break;
 +
 +		if (ifgm != NULL) {
 +			TAILQ_REMOVE(&ifgl->ifgl_group->ifg_members, ifgm,
 +			    ifgm_next);
 +			free(ifgm, M_TEMP);
 +		}
 +
 +		if (--ifgl->ifgl_group->ifg_refcnt == 0) {
 +			TAILQ_REMOVE(&ifg_head, ifgl->ifgl_group, ifg_next);
 +			EVENTHANDLER_INVOKE(group_detach_event,
 +			    ifgl->ifgl_group);
 +			free(ifgl->ifgl_group, M_TEMP);
 +		}
 +		IFNET_WUNLOCK();
 +
 +		free(ifgl, M_TEMP);
 +
 +		EVENTHANDLER_INVOKE(group_change_event, groupname);
 +
 +		IFNET_WLOCK();
 +	}
 +	IFNET_WUNLOCK();
 +}
 +
 +/*
   * Stores all groups from an interface in memory pointed
   * to by data
   */
 
 --Boundary-00=_LB+3JRWytgyQ4AY--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/130977: commit references a PR
Date: Mon, 13 Apr 2009 22:47:11 +0000 (UTC)

 Author: mlaier
 Date: Mon Apr 13 22:17:03 2009
 New Revision: 191025
 URL: http://svn.freebsd.org/changeset/base/191025
 
 Log:
   MFH r190903 & r190895:
     Remove interfaces from interface groups on detach.
   
   Reported by:	various
   Submitted by:	Mikolaj Golub (r190895)
   PR:		kern/130977, kern/131310
   Approved by:	re (gnn)
 
 Modified:
   stable/7/sys/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
   stable/7/sys/dev/ath/ath_hal/   (props changed)
   stable/7/sys/dev/cxgb/   (props changed)
   stable/7/sys/net/if.c
 
 Modified: stable/7/sys/net/if.c
 ==============================================================================
 --- stable/7/sys/net/if.c	Mon Apr 13 21:04:53 2009	(r191024)
 +++ stable/7/sys/net/if.c	Mon Apr 13 22:17:03 2009	(r191025)
 @@ -128,6 +128,7 @@ static void	if_start_deferred(void *cont
  static void	do_link_state_change(void *, int);
  static int	if_getgroup(struct ifgroupreq *, struct ifnet *);
  static int	if_getgroupmembers(struct ifgroupreq *);
 +static void	if_delgroups(struct ifnet *);
  #ifdef INET6
  /*
   * XXX: declare here to avoid to include many inet6 related files..
 @@ -828,6 +829,7 @@ if_detach(struct ifnet *ifp)
  	rt_ifannouncemsg(ifp, IFAN_DEPARTURE);
  	EVENTHANDLER_INVOKE(ifnet_departure_event, ifp);
  	devctl_notify("IFNET", ifp->if_xname, "DETACH", NULL);
 +	if_delgroups(ifp);
  
  	IF_AFDATA_LOCK(ifp);
  	for (dp = domains; dp; dp = dp->dom_next) {
 @@ -963,6 +965,53 @@ if_delgroup(struct ifnet *ifp, const cha
  }
  
  /*
 + * Remove an interface from all groups
 + */
 +static void
 +if_delgroups(struct ifnet *ifp)
 +{
 +	struct ifg_list		*ifgl;
 +	struct ifg_member	*ifgm;
 +	char groupname[IFNAMSIZ];
 +
 +	IFNET_WLOCK();
 +	while (!TAILQ_EMPTY(&ifp->if_groups)) {
 +		ifgl = TAILQ_FIRST(&ifp->if_groups);
 +
 +		strlcpy(groupname, ifgl->ifgl_group->ifg_group, IFNAMSIZ);
 +
 +		IF_ADDR_LOCK(ifp);
 +		TAILQ_REMOVE(&ifp->if_groups, ifgl, ifgl_next);
 +		IF_ADDR_UNLOCK(ifp);
 +
 +		TAILQ_FOREACH(ifgm, &ifgl->ifgl_group->ifg_members, ifgm_next)
 +			if (ifgm->ifgm_ifp == ifp)
 +				break;
 +
 +		if (ifgm != NULL) {
 +			TAILQ_REMOVE(&ifgl->ifgl_group->ifg_members, ifgm,
 +			    ifgm_next);
 +			free(ifgm, M_TEMP);
 +		}
 +
 +		if (--ifgl->ifgl_group->ifg_refcnt == 0) {
 +			TAILQ_REMOVE(&ifg_head, ifgl->ifgl_group, ifg_next);
 +			EVENTHANDLER_INVOKE(group_detach_event,
 +			    ifgl->ifgl_group);
 +			free(ifgl->ifgl_group, M_TEMP);
 +		}
 +		IFNET_WUNLOCK();
 +
 +		free(ifgl, M_TEMP);
 +
 +		EVENTHANDLER_INVOKE(group_change_event, groupname);
 +
 +		IFNET_WLOCK();
 +	}
 +	IFNET_WUNLOCK();
 +}
 +
 +/*
   * Stores all groups from an interface in memory pointed
   * to by data
   */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: mlaier 
State-Changed-When: Mon Apr 13 23:33:36 UTC 2009 
State-Changed-Why:  
Fix commited to head and stable/7.  Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130977 
>Unformatted:
