panic in RELENG_5 UMA
Gleb Smirnoff
glebius at FreeBSD.org
Thu Jun 23 10:42:35 GMT 2005
On Wed, Jun 22, 2005 at 03:03:53PM +0200, Andre Oppermann wrote:
A> > Fixing this one is harder. We take la from unlocked rtentry obtained via
A> > rt_check(), or from arplookup(). The latter drops lock on rtentry, too.
A> > Then we do some work and use this la. It may have already been freed in
A> > arp_rtrequest(), the RTM_DELETE case.
A> >
A> > I see two approaches here:
A> >
A> > 1) Protecting llinfo with route lock. In this case we need rt_check()
A> > to return locked *rt (just reference won't help). We also need
A> > arplookup() to return locked rt. And do not unlock it withing all
A> > arpresolve() and a big part of in_arpinput() functions.
A>
A> I think for 5-stable this is the way to go.
What about fixing it step by step? The patch attached to my previous message
fixes the panic report by Jeremie, I suppose. It is race between output
path and input path, that can occur anytime in runtime.
The race that is not fixed by my patch (discussed above) is between output path
and RTM_DELETE message, is less critical - it can occur only when administrator
runs arp -d.
Can you please review my patch? I think we should commit it first, and then
work on the second race.
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
More information about the freebsd-stable
mailing list