From owner-cvs-src@FreeBSD.ORG Sat Aug 5 21:11:59 2006 Return-Path: X-Original-To: cvs-src@FreeBSD.org Delivered-To: cvs-src@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E3AC16A4DD; Sat, 5 Aug 2006 21:11:59 +0000 (UTC) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64EF443D53; Sat, 5 Aug 2006 21:11:58 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.4/8.13.3) with ESMTP id k75LBeTY031375; Sun, 6 Aug 2006 01:11:40 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.4/8.13.3/Submit) id k75LBeNl031374; Sun, 6 Aug 2006 01:11:40 +0400 (MSD) (envelope-from yar) Date: Sun, 6 Aug 2006 01:11:40 +0400 From: Yar Tikhiy To: Sam Leffler Message-ID: <20060805211140.GG29277@comp.chem.msu.su> References: <200608030959.k739x9N6007207@repoman.freebsd.org> <44D22E2F.4070307@errno.com> <20060803180854.GI97316@comp.chem.msu.su> <44D3758C.1000609@errno.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44D3758C.1000609@errno.com> User-Agent: Mutt/1.5.9i Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/net if_vlan.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Aug 2006 21:11:59 -0000 On Fri, Aug 04, 2006 at 09:27:56AM -0700, Sam Leffler wrote: > Yar Tikhiy wrote: > > On Thu, Aug 03, 2006 at 10:11:11AM -0700, Sam Leffler wrote: > >> Yar Tikhiy wrote: > >>> yar 2006-08-03 09:59:09 UTC > >>> > >>> FreeBSD src repository > >>> > >>> Modified files: > >>> sys/net if_vlan.c > >>> Log: > >>> Should vlan_input() ever be called with ifp pointing to a non-Ethernet > >>> interface, do not just assign -1 to tag because it breaks the logic of > >>> the code to follow. The better way is to handle this case as an unsupported > >>> protocol and return unless INVARIANTS is in effect and we can panic. > >>> Panic is good there because the scenario can happen only because of a > >>> coding error elsewhere. > >>> > >>> We also should show the interface name in the panic message for easier > >>> debugging of the problem, should it ever emerge. > >> Introducing a panic in a place where you can trivially recover is bad > >> regardless of why you got there. Many people run production systems > >> with INVARIANTS turned on. Is it now possible to send a "packet of > >> death" by exploiting this code path? > > > > No nastygram can ever achieve this; only FreeBSD commiters possess > > the ability to :-) > > > > The panic can never be reached unless one manages to attach a vlan > > interface to a non-Ethernet physical interface in advance, which > > is totally prohibited by the code at the beginning of vlan_config(); > > and vlan_config() is the only way to attach a vlan interface to a > > physical interface. > > > > I.e., it will take a developer breaking the logic in /sys/net to > > make the code path expoloitable. > > > > OTOH, you are right that we can at least attempt to recover from > > the situation. Perhaps it's time to introduce a common macro or > > function that emits a message on the console and then just calls > > kdb_backtrace() instead of dumping core and halting the system? > > So users will be able to post the stack traces to the lists and > > thus help to spot the possible bugs w/o having to go through panics. > > I'm unsure if sticking raw kdb_backtrace() calls in such places > > is a good idea, so I'm suggesting a wrapper function or macro. > > It is to be used in "can absolutely never happen" cases that are > > not fatal, like the one under discussion. > > > > It is my experience that problems like the "packet of death" come about > from (well-meaning) planting of a landmine of this sort followed, > sometime later, by another person enabling the code path. I work by the > rule that panic should be used only in places where you have no way to > recover or recovery is so hard as to be not worthwhile (based on the > circumstances). Sounds fair! if_vlan.c appears to use quite a few KASSERT's and panic's in places where it could recover by, e.g., failing the current operation. I'll revise them. -- Yar