Date: Mon, 27 Oct 2003 18:42:37 +0000 From: Bruce M Simpson <bms@spc.org> To: Kris Kennaway <kris@obsecurity.org> Cc: freebsd-stable@freebsd.org Subject: Re: 4.9-RC panic on 24 hours Message-ID: <20031027184237.GI1052@saboteur.dek.spc.org> In-Reply-To: <20031027181101.GA7737@rot13.obsecurity.org> References: <20031026200236.GA46885@gargantuan.com> <20031027181101.GA7737@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--AkbCVLjbJ9qUtAXD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Oct 27, 2003 at 10:11:01AM -0800, Kris Kennaway wrote: [snip] > #16 0xc01f45b5 in arptimer (ignored_arg=0x0) at /usr/src/sys/netinet/if_ether.c:152 > rt = (struct rtentry *) 0x0 > s = 4194304 > la = (struct llinfo_arp *) 0x620000 > ola = (struct llinfo_arp *) 0x0 > #17 0xc01a8259 in softclock () at /usr/src/sys/kern/kern_timeout.c:131 [snip] > I wonder if this is related to the (security-related) ARP changes from a few weeks ago. I don't really have enough to go on here without a full coredump. The la pointer in the backtrace does not look like a valid KVA address. The backtrace for the callout invocation looks fine. What isn't immediately evident is why la->la_rt would be NULL, unless arptimer is racing something. arp_rtrequest() doesn't add la to the llinfo_arp list until la->la_rt is initialized, so that doesn't seem to be the case. The flip side of that is that we could be in a race during an RTM_DELETE of an llinfo route; again, this doesn't seem to be the case. BMS --AkbCVLjbJ9qUtAXD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQE/nWccueUpAYYNtTsRAgXhAJ9lzGH088hQy0l5HXvDSwffogBjqQCgnOVR LpRXGnMpmhF21IfTmzXHBNk= =mIRp -----END PGP SIGNATURE----- --AkbCVLjbJ9qUtAXD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031027184237.GI1052>