Date: Thu, 23 Jun 2005 14:42:30 +0400 From: Gleb Smirnoff <glebius@FreeBSD.org> To: Andre Oppermann <andre@FreeBSD.org> Cc: qingli@FreeBSD.org, sam@FreeBSD.org, Jeremie Le Hen <jeremie@le-hen.org>, freebsd-stable@FreeBSD.org Subject: Re: panic in RELENG_5 UMA Message-ID: <20050623104230.GB61389@cell.sick.ru> In-Reply-To: <42B961B9.7A5856B3@freebsd.org> References: <20050621070427.GA738@obiwan.tataz.chchile.org> <20050621090701.GB34406@cell.sick.ru> <20050621105154.GA36538@cell.sick.ru> <42B961B9.7A5856B3@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 22, 2005 at 03:03:53PM +0200, Andre Oppermann wrote: A> > Fixing this one is harder. We take la from unlocked rtentry obtained via A> > rt_check(), or from arplookup(). The latter drops lock on rtentry, too. A> > Then we do some work and use this la. It may have already been freed in A> > arp_rtrequest(), the RTM_DELETE case. A> > A> > I see two approaches here: A> > A> > 1) Protecting llinfo with route lock. In this case we need rt_check() A> > to return locked *rt (just reference won't help). We also need A> > arplookup() to return locked rt. And do not unlock it withing all A> > arpresolve() and a big part of in_arpinput() functions. A> A> I think for 5-stable this is the way to go. What about fixing it step by step? The patch attached to my previous message fixes the panic report by Jeremie, I suppose. It is race between output path and input path, that can occur anytime in runtime. The race that is not fixed by my patch (discussed above) is between output path and RTM_DELETE message, is less critical - it can occur only when administrator runs arp -d. Can you please review my patch? I think we should commit it first, and then work on the second race. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050623104230.GB61389>