From nobody@FreeBSD.org  Mon Jan 30 15:44:32 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3BCA716A420
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 30 Jan 2006 15:44:32 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0B77743D45
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 30 Jan 2006 15:44:32 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k0UFiV6w022185
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 30 Jan 2006 15:44:31 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k0UFiVpc022183;
	Mon, 30 Jan 2006 15:44:31 GMT
	(envelope-from nobody)
Message-Id: <200601301544.k0UFiVpc022183@www.freebsd.org>
Date: Mon, 30 Jan 2006 15:44:31 GMT
From: Liang Yi <liangyi571@hotmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: A serious bug in most network drivers from R5 to R6
X-Send-Pr-Version: www-2.3

>Number:         92552
>Category:       kern
>Synopsis:       A serious bug in most network drivers from 5.X to 6.X [regression]
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    yongari
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 30 15:50:02 GMT 2006
>Closed-Date:    Sun Feb 24 23:17:13 UTC 2013
>Last-Modified:  Sun Feb 24 23:17:13 UTC 2013
>Originator:     Liang Yi
>Release:        Release 5.x to Release 6.x
>Organization:
LingZhou Network Inc
>Environment:
FreeBSD XXXXX 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri Jan 27 00:32:43 UTC 2006   i386
>Description:
From Release 5, adapter will be locked while interrupt received, except
if_input was called. Look at these code in if_em.c

	EM_UNLOCK(adapter);
	(*ifp->if_input)(ifp, m);
	EM_LOCK(adapter);

After if_input returned, adapter will be locked again.


These code will be ok at most time. But if you shutdown the interface under
heavy load, ioctl would be called by another thread while if_input was
called by interrupt thread, which will crash the system. The work flow
seems like this:

"interrupt thread": lock adapter -> receive packet -> unlock adapter -> if_input -> (task switch) |
                          V
"ioctl thread": lock adapter -> shutdown interface -> release all resource for this adapter -> unlock adapter -> (task switch) |
                                                V
"interrupt thread": return from if_input -> lock adapter again -> resource not avaliable -> SYSTEM crash!


>How-To-Repeat:
Run sniffer in a heavy load env, shutdown the interface or reboot the
machine, system will be crashed at most time.

>Fix:
Add a patch to the drivers which works like above. Use another lock or
some special flags to prevent other thread to call ioctl while receiving packet.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Feb 1 19:05:14 UTC 2006 
Responsible-Changed-Why:  
Over to freebsd-net for evaluation. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=92552 

From: Bruce Cran <bruce@cran.org.uk>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/92552: A serious bug in most network drivers from 5.X to
 6.X (regression)
Date: Fri, 07 Mar 2008 23:18:23 +0000

 Hi,
 
 Sorry it's taken such a long time to get around to looking at this 
 problem report.   I'm not very familiar with the network code but from 
 looking at if_em.c it appears that a dual locking implementation was 
 added in rev 1.65.2.28 (FreeBSD 6.3) so that the core lock is held by 
 both the ioctl and interrupt handlers and so this problems should no 
 longer occur.   However, the _CORE_LOCK macros are only used in if_em so 
 unless the problem has been fixed in the other network drivers this 
 problem will still exist.   Do you remember which other network drivers 
 are affected?
 
 Thanks,
 Bruce
State-Changed-From-To: open->feedback 
State-Changed-By: vwe 
State-Changed-When: Fri Mar 7 23:22:40 UTC 2008 
State-Changed-Why:  

Note that submitter has been asked for feedback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=92552 
Responsible-Changed-From-To: freebsd-net->yongari 
Responsible-Changed-By: andre 
Responsible-Changed-When: Mon Aug 23 18:18:17 UTC 2010 
Responsible-Changed-Why:  
Over to expert. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=92552 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Feb 24 23:16:47 UTC 2013 
State-Changed-Why:  
Feedback timeout.  This PR is quite old by now. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=92552 
>Unformatted:
