DragonFly bugs List (threaded) for 2007-12
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]
Re: kernel panic
| From: | Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx> |
| Date: | Fri, 28 Dec 2007 12:01:50 -0800 (PST) |
:Since ifa_addr is points at the correct memory position but rest of
:the pointers are 'deadc0de', the on-list dead in_ifaddr may go through
:following code and become dead:
:netinet/in.c:
:
:in_ifinit()
:{
:...
: if (scrub) {
: ia->ia_ifa.ifa_addr =3D (struct sockaddr *)&oldaddr;
: in_ifscrub(ifp, ia);
: ia->ia_ifa.ifa_addr =3D (struct sockaddr *)&ia->ia_addr;
: }
:...
:}
:
:I think in_ifscrub() killed the last reference, but this code path is
:rarely stressed:
:1) From SIOCSIFADDR, which is not used by ifconfig(8) or vkernel(7)
:2) From sppp_set_ip_addr(), is it used on the panic system?
:
:Best Regards,
:sephe
I think you are on to something here. The more I look at that code,
not only in_ifscrub() but just in_ifinit() generally, particularly
the fact that the ia is manipulated both inside and outside the
serializer, the more it looks wrong.
There seem to be a ton of places where the ia can be freed. Frankly
the code paths are almost unreadable to me but I am guessing it is
a call to IFAFREE() somewhere in that mess that is causing the problem.
(see IFAFREE() in net/if_var.h line 44).
The ia is supposed to be protected by a reference count in the ia
structure. The governing route table entry uses a mirror flag RTF_UP
to mean the same thing. When an interface goes down RTM_DELETE is
called and RTF_UP is cleared in the route entry (net/route.c line 808),
but the IFA_ROUTE flag in the ia itself should not be cleared except
by the interface code.
I think what is happening is that the ref count that IFAFREE() depends
on is not being properly incremented or decremented somewhere. There
is either an extra IFAFREE() call being made, or an IFAREF() call is
not being made where it should be.
I don't know where the missing call is but it is either in the route
table code mismatching an IFAREF/IFAFREE (based I think on the RTF_UP
flag but I don't know for sure), or the interface code mismatching an
IFAREF/IFAFREE.
-Matt
- References:
- Re: kernel panic
- From: "Sepherosa Ziehau" <sepherosa@gmail.com>
- Re: kernel panic
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]