From owner-cvs-src@FreeBSD.ORG  Sat Aug  5 21:11:59 2006
Return-Path: <owner-cvs-src@FreeBSD.ORG>
X-Original-To: cvs-src@FreeBSD.org
Delivered-To: cvs-src@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2E3AC16A4DD;
	Sat,  5 Aug 2006 21:11:59 +0000 (UTC)
	(envelope-from yar@comp.chem.msu.su)
Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 64EF443D53;
	Sat,  5 Aug 2006 21:11:58 +0000 (GMT)
	(envelope-from yar@comp.chem.msu.su)
Received: from comp.chem.msu.su (localhost [127.0.0.1])
	by comp.chem.msu.su (8.13.4/8.13.3) with ESMTP id k75LBeTY031375;
	Sun, 6 Aug 2006 01:11:40 +0400 (MSD)
	(envelope-from yar@comp.chem.msu.su)
Received: (from yar@localhost)
	by comp.chem.msu.su (8.13.4/8.13.3/Submit) id k75LBeNl031374;
	Sun, 6 Aug 2006 01:11:40 +0400 (MSD) (envelope-from yar)
Date: Sun, 6 Aug 2006 01:11:40 +0400
From: Yar Tikhiy <yar@comp.chem.msu.su>
To: Sam Leffler <sam@errno.com>
Message-ID: <20060805211140.GG29277@comp.chem.msu.su>
References: <200608030959.k739x9N6007207@repoman.freebsd.org>
	<44D22E2F.4070307@errno.com>
	<20060803180854.GI97316@comp.chem.msu.su>
	<44D3758C.1000609@errno.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <44D3758C.1000609@errno.com>
User-Agent: Mutt/1.5.9i
Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/net if_vlan.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Aug 2006 21:11:59 -0000

On Fri, Aug 04, 2006 at 09:27:56AM -0700, Sam Leffler wrote:
> Yar Tikhiy wrote:
> > On Thu, Aug 03, 2006 at 10:11:11AM -0700, Sam Leffler wrote:
> >> Yar Tikhiy wrote:
> >>> yar         2006-08-03 09:59:09 UTC
> >>>
> >>>   FreeBSD src repository
> >>>
> >>>   Modified files:
> >>>     sys/net              if_vlan.c 
> >>>   Log:
> >>>   Should vlan_input() ever be called with ifp pointing to a non-Ethernet
> >>>   interface, do not just assign -1 to tag because it breaks the logic of
> >>>   the code to follow.  The better way is to handle this case as an unsupported
> >>>   protocol and return unless INVARIANTS is in effect and we can panic.
> >>>   Panic is good there because the scenario can happen only because of a
> >>>   coding error elsewhere.
> >>>   
> >>>   We also should show the interface name in the panic message for easier
> >>>   debugging of the problem, should it ever emerge.
> >> Introducing a panic in a place where you can trivially recover is bad
> >> regardless of why you got there.  Many people run production systems
> >> with INVARIANTS turned on.  Is it now possible to send a "packet of
> >> death" by exploiting this code path?
> > 
> > No nastygram can ever achieve this; only FreeBSD commiters possess
> > the ability to :-)
> > 
> > The panic can never be reached unless one manages to attach a vlan
> > interface to a non-Ethernet physical interface in advance, which
> > is totally prohibited by the code at the beginning of vlan_config();
> > and vlan_config() is the only way to attach a vlan interface to a
> > physical interface.
> > 
> > I.e., it will take a developer breaking the logic in /sys/net to
> > make the code path expoloitable.
> > 
> > OTOH, you are right that we can at least attempt to recover from
> > the situation.  Perhaps it's time to introduce a common macro or
> > function that emits a message on the console and then just calls
> > kdb_backtrace() instead of dumping core and halting the system?
> > So users will be able to post the stack traces to the lists and
> > thus help to spot the possible bugs w/o having to go through panics.
> > I'm unsure if sticking raw kdb_backtrace() calls in such places
> > is a good idea, so I'm suggesting a wrapper function or macro.
> > It is to be used in "can absolutely never happen" cases that are
> > not fatal, like the one under discussion.
> > 
> 
> It is my experience that problems like the "packet of death" come about
> from (well-meaning) planting of a landmine of this sort followed,
> sometime later, by another person enabling the code path.  I work by the
> rule that panic should be used only in places where you have no way to
> recover or recovery is so hard as to be not worthwhile (based on the
> circumstances).

Sounds fair!  if_vlan.c appears to use quite a few KASSERT's and
panic's in places where it could recover by, e.g., failing the
current operation.  I'll revise them.

-- 
Yar