From owner-freebsd-stable@FreeBSD.ORG Tue Oct 28 11:32:11 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6AEB16A4D0 for ; Tue, 28 Oct 2003 11:32:11 -0800 (PST) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E04E43FEC for ; Tue, 28 Oct 2003 11:32:06 -0800 (PST) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 47E4765435; Mon, 27 Oct 2003 18:42:42 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 88338-01-2; Mon, 27 Oct 2003 18:42:41 +0000 (GMT) Received: from saboteur.dek.spc.org (unknown [81.3.72.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 133CF65375; Mon, 27 Oct 2003 18:42:41 +0000 (GMT) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 6583311; Mon, 27 Oct 2003 18:42:37 +0000 (GMT) Date: Mon, 27 Oct 2003 18:42:37 +0000 From: Bruce M Simpson To: Kris Kennaway Message-ID: <20031027184237.GI1052@saboteur.dek.spc.org> References: <20031026200236.GA46885@gargantuan.com> <20031027181101.GA7737@rot13.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AkbCVLjbJ9qUtAXD" Content-Disposition: inline In-Reply-To: <20031027181101.GA7737@rot13.obsecurity.org> cc: "Michael W. Oliver" cc: freebsd-stable@freebsd.org Subject: Re: 4.9-RC panic on 24 hours X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 19:32:12 -0000 --AkbCVLjbJ9qUtAXD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Oct 27, 2003 at 10:11:01AM -0800, Kris Kennaway wrote: [snip] > #16 0xc01f45b5 in arptimer (ignored_arg=0x0) at /usr/src/sys/netinet/if_ether.c:152 > rt = (struct rtentry *) 0x0 > s = 4194304 > la = (struct llinfo_arp *) 0x620000 > ola = (struct llinfo_arp *) 0x0 > #17 0xc01a8259 in softclock () at /usr/src/sys/kern/kern_timeout.c:131 [snip] > I wonder if this is related to the (security-related) ARP changes from a few weeks ago. I don't really have enough to go on here without a full coredump. The la pointer in the backtrace does not look like a valid KVA address. The backtrace for the callout invocation looks fine. What isn't immediately evident is why la->la_rt would be NULL, unless arptimer is racing something. arp_rtrequest() doesn't add la to the llinfo_arp list until la->la_rt is initialized, so that doesn't seem to be the case. The flip side of that is that we could be in a race during an RTM_DELETE of an llinfo route; again, this doesn't seem to be the case. BMS --AkbCVLjbJ9qUtAXD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQE/nWccueUpAYYNtTsRAgXhAJ9lzGH088hQy0l5HXvDSwffogBjqQCgnOVR LpRXGnMpmhF21IfTmzXHBNk= =mIRp -----END PGP SIGNATURE----- --AkbCVLjbJ9qUtAXD--