From gene@laptop.starkhome.cs.sunysb.edu  Wed Jan 26 19:33:32 2005
Return-Path: <gene@laptop.starkhome.cs.sunysb.edu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B707E16A4CF
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Jan 2005 19:33:32 +0000 (GMT)
Received: from grampa.starkeffect.com (grampa.starkeffect.com [207.252.75.228])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0189F43D4C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Jan 2005 19:33:30 +0000 (GMT)
	(envelope-from gene@laptop.starkhome.cs.sunysb.edu)
Received: from laptop.starkhome.cs.sunysb.edu (xlaptop [10.0.0.2])
	by grampa.starkeffect.com (8.12.6/8.12.6) with ESMTP id j0QJXRv9071838;
	Wed, 26 Jan 2005 14:33:27 -0500 (EST)
	(envelope-from gene@laptop.starkhome.cs.sunysb.edu)
Received: from laptop.starkhome.cs.sunysb.edu (laptop [10.0.1.3])
	by laptop.starkhome.cs.sunysb.edu (8.12.11/8.12.11) with ESMTP id j0QJXQ4H057713;
	Wed, 26 Jan 2005 14:33:26 -0500 (EST)
	(envelope-from gene@laptop.starkhome.cs.sunysb.edu)
Received: (from gene@localhost)
	by laptop.starkhome.cs.sunysb.edu (8.12.11/8.12.6/Submit) id j0QJXQkv057710;
	Wed, 26 Jan 2005 14:33:26 -0500 (EST)
	(envelope-from gene)
Message-Id: <16887.61574.336173.945503@laptop.starkhome.cs.sunysb.edu>
Date: Wed, 26 Jan 2005 14:33:26 -0500
From: Gene Stark <gene@starkhome.cs.sunysb.edu>
Reply-To: gene@starkhome.cs.sunysb.edu
To: freebsd-gnats-submit@FreeBSD.org
Subject: Followup to my report

>Number:         76723
>Category:       kern
>Synopsis:       Followup to my report
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 26 19:40:28 GMT 2005
>Closed-Date:    Wed Jan 26 23:58:21 GMT 2005
>Last-Modified:  Wed Jan 26 23:59:17 GMT 2005
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 The patch I proposed in my original report exposed another bug
 in net/bpf.c, which I reported in PR-76410.  However, after making
 that additional patch, I found that there were still issues with if_xl.c,
 in that under the circumstances I described it would incorrectly called
 ether_ifdetach() without previously having called ether_ifattach().
 Examination of the code for ether_ifdetach() shows that it is not in
 any way, shape, or form intended to be called if ether_ifattach() had
 not previously been completed successfully.
 
 So, I added an additional flag to the if_xl driver to record whether
 ether_ifattach() was performed during initialization, so that calling
 ether_ifdetach() could be avoided during the failure unwind.
 This patch now successfully avoids panicking my laptop when the
 "cannot allocate memory for list buffers" condition occurs.
 Here are diffs for the full patch:
 
 
 Index: if_xl.c
 ===================================================================
 RCS file: /A/cvs/src/sys/pci/if_xl.c,v
 retrieving revision 1.72.2.29
 diff -c -r1.72.2.29 if_xl.c
 *** if_xl.c	19 Mar 2004 23:21:05 -0000	1.72.2.29
 --- if_xl.c	19 Jan 2005 14:00:58 -0000
 ***************
 *** 1770,1775 ****
 --- 1770,1776 ----
   	 * Call MI attach routine.
   	 */
   	ether_ifattach(ifp, ETHER_BPF_SUPPORTED);
 + 	sc->xl_ether_ifattached = 1;
   
           /*
            * Tell the upper layer(s) we support long frames.
 ***************
 *** 1825,1831 ****
   
   	xl_reset(sc);
   	xl_stop(sc);
 ! 	ether_ifdetach(ifp, ETHER_BPF_SUPPORTED);
   	
   	if (sc->xl_miibus)
   		device_delete_child(dev, sc->xl_miibus);
 --- 1826,1833 ----
   
   	xl_reset(sc);
   	xl_stop(sc);
 ! 	if (sc->xl_ether_ifattached)
 ! 		ether_ifdetach(ifp, ETHER_BPF_SUPPORTED);
   	
   	if (sc->xl_miibus)
   		device_delete_child(dev, sc->xl_miibus);
 ***************
 *** 3274,3280 ****
   			sc->xl_cdata.xl_rx_chain[i].xl_mbuf = NULL;
   		}
   	}
 ! 	bzero(sc->xl_ldata.xl_rx_list, XL_RX_LIST_SZ);
   	/*
   	 * Free the TX list buffers.
   	 */
 --- 3276,3287 ----
   			sc->xl_cdata.xl_rx_chain[i].xl_mbuf = NULL;
   		}
   	}
 ! 	if(sc->xl_ldata.xl_rx_list != NULL)
 ! 	  bzero(sc->xl_ldata.xl_rx_list, XL_RX_LIST_SZ);
 ! 	else
 ! 	  printf("xl%d: xl_ldata.xl_rx_list == NULL in xl_stop!\n",
 ! 		 sc->xl_unit);
 ! 
   	/*
   	 * Free the TX list buffers.
   	 */
 ***************
 *** 3288,3294 ****
   			sc->xl_cdata.xl_tx_chain[i].xl_mbuf = NULL;
   		}
   	}
 ! 	bzero(sc->xl_ldata.xl_tx_list, XL_TX_LIST_SZ);
   
   	ifp->if_flags &= ~(IFF_RUNNING | IFF_OACTIVE);
   
 --- 3295,3305 ----
   			sc->xl_cdata.xl_tx_chain[i].xl_mbuf = NULL;
   		}
   	}
 ! 	if(sc->xl_ldata.xl_tx_list != NULL)
 ! 	  bzero(sc->xl_ldata.xl_tx_list, XL_TX_LIST_SZ);
 ! 	else
 ! 	  printf("xl%d: xl_ldata.xl_tx_list == NULL in xl_stop!\n",
 ! 		 sc->xl_unit);
   
   	ifp->if_flags &= ~(IFF_RUNNING | IFF_OACTIVE);
   
 
 
 Index: if_xlreg.h
 ===================================================================
 RCS file: /A/cvs/src/sys/pci/if_xlreg.h,v
 retrieving revision 1.25.2.8
 diff -r1.25.2.8 if_xlreg.h
 607a608
 > 	int			xl_ether_ifattached;
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Wed Jan 26 23:57:02 GMT 2005 
State-Changed-Why:  
Misfiled followup to kern/76207 due to Subject line mangling. 


Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jan 26 23:57:02 GMT 2005 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=76723 
>Unformatted:

To: freebsd-gnats-submit@FreeBSD.org,"stark@cs.sunysb.edu?subject=Re:kern/76207:Null.pointer.dereference.in.xl_detach"@laptop.starkhome.cs.sunysb.edu ()
