Date: Thu, 3 Aug 2006 22:08:55 +0400 From: Yar Tikhiy <yar@comp.chem.msu.su> To: Sam Leffler <sam@errno.com> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/net if_vlan.c Message-ID: <20060803180854.GI97316@comp.chem.msu.su> In-Reply-To: <44D22E2F.4070307@errno.com> References: <200608030959.k739x9N6007207@repoman.freebsd.org> <44D22E2F.4070307@errno.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 03, 2006 at 10:11:11AM -0700, Sam Leffler wrote: > Yar Tikhiy wrote: > > yar 2006-08-03 09:59:09 UTC > > > > FreeBSD src repository > > > > Modified files: > > sys/net if_vlan.c > > Log: > > Should vlan_input() ever be called with ifp pointing to a non-Ethernet > > interface, do not just assign -1 to tag because it breaks the logic of > > the code to follow. The better way is to handle this case as an unsupported > > protocol and return unless INVARIANTS is in effect and we can panic. > > Panic is good there because the scenario can happen only because of a > > coding error elsewhere. > > > > We also should show the interface name in the panic message for easier > > debugging of the problem, should it ever emerge. > > Introducing a panic in a place where you can trivially recover is bad > regardless of why you got there. Many people run production systems > with INVARIANTS turned on. Is it now possible to send a "packet of > death" by exploiting this code path? No nastygram can ever achieve this; only FreeBSD commiters possess the ability to :-) The panic can never be reached unless one manages to attach a vlan interface to a non-Ethernet physical interface in advance, which is totally prohibited by the code at the beginning of vlan_config(); and vlan_config() is the only way to attach a vlan interface to a physical interface. I.e., it will take a developer breaking the logic in /sys/net to make the code path expoloitable. OTOH, you are right that we can at least attempt to recover from the situation. Perhaps it's time to introduce a common macro or function that emits a message on the console and then just calls kdb_backtrace() instead of dumping core and halting the system? So users will be able to post the stack traces to the lists and thus help to spot the possible bugs w/o having to go through panics. I'm unsure if sticking raw kdb_backtrace() calls in such places is a good idea, so I'm suggesting a wrapper function or macro. It is to be used in "can absolutely never happen" cases that are not fatal, like the one under discussion. -- Yar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060803180854.GI97316>