From owner-freebsd-stable@FreeBSD.ORG  Tue Jun 21 09:28:22 2005
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@FreeBSD.org
Delivered-To: freebsd-stable@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AFBA216A41C;
	Tue, 21 Jun 2005 09:28:22 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 717AD43D48;
	Tue, 21 Jun 2005 09:28:22 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org
	(vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98])
	by postfix4-1.free.fr (Postfix) with ESMTP id 884D5317E48;
	Tue, 21 Jun 2005 11:28:21 +0200 (CEST)
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
	id 34BAF405B; Tue, 21 Jun 2005 11:28:36 +0200 (CEST)
Date: Tue, 21 Jun 2005 11:28:36 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Gleb Smirnoff <glebius@FreeBSD.org>
Message-ID: <20050621092836.GD738@obiwan.tataz.chchile.org>
References: <20050621070427.GA738@obiwan.tataz.chchile.org>
	<20050621090701.GB34406@cell.sick.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050621090701.GB34406@cell.sick.ru>
User-Agent: Mutt/1.5.9i
Cc: freebsd-stable@FreeBSD.org, Jeremie Le Hen <jeremie@le-hen.org>
Subject: Re: panic in RELENG_5 UMA
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2005 09:28:22 -0000

Hi Gleb,

> IMHO, this looks like a race. The route is not locked, when
> its llinfo is edited.
> 
> Probably the mbuf was freed when arp reply arrived and la_hold was send.
> Look into in_arpinput() near 736:
> 
>                         (*ifp->if_output)(ifp, la->la_hold, rt_key(rt), rt);
>                         la->la_hold = 0;
> 
> Yeah, I have just triggered another panic running 15 instances of this
> script on SMP box:
> 
> (
> while (true); do
> 	arp -d 81.19.64.111  >/dev/null 2>&1;
> 	ping -c 1 -t 1 81.19.64.111 >/dev/null 2>&1;
> done
> ) &
> 
> But my duplicate free is in fxp_txeof(). This means that output thread has
> won the race.

This explanation sounds good but my box is an UP with PREEMPTION.
Is is supposed to be also possible in this case ?

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >