Le 01/01/2012 01:13, Stephen Hemminger a écrit :

On Sun, 01 Jan 2012 01:09:50 +0100
Nicolas de Pesloüan[off-list ref]  wrote:

quoted

Le 01/01/2012 00:26, Stephen Hemminger a écrit :

quoted

If slave device already has a receive handler registered, then the
error unwind of bonding device enslave function is broken.

The following will leave a pointer to freed memory in the slave
device list, causing a later kernel panic.
# modprobe dummy
# ip li add dummy0-1 link dummy0 type macvlan
# modprobe bonding
# echo +dummy0>/sys/class/net/bond0/bonding/slaves

The fix is to detach the slave (which removes it from the list)
in the unwind path.

Signed-off-by: Stephen Hemminger<redacted>

Thanks Stephen.

Reviewed-by: Nicolas de Pesloüan<redacted>

The locking in bond driver is a tangled web.

Would be cleaner to get rid of bond->lock altogether.
Slave add/delete should be protected by RTNL, and the lookup should
be converted to RCU.  The problem is that bonding driver implements
own form of circular list to handle round-robin etc.

Bonding has become an incredibly complex thing, due to the large number of corner cases it needs to 
handle. And the locking system in probably part of the problem.

Unfortunately, I'm far from a Linux locking specialist, so I cannot comment on this... I just 
noticed that searching for RTNL in Documentations yields no result... :-(

	Nicolas.