Re: 4.9-RC panic on 24 hours

• Previous message: Joan Picanyol: "Re: reproduceable panic remounting vinum fs's in single mode"
• In reply to: Kris Kennaway: "Re: 4.9-RC panic on 24 hours"
• Next in thread: Kris Kennaway: "Re: 4.9-RC panic on 24 hours"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 27 Oct 2003 18:42:37 +0000
To: Kris Kennaway <kris@obsecurity.org>

On Mon, Oct 27, 2003 at 10:11:01AM -0800, Kris Kennaway wrote:
[snip]
> #16 0xc01f45b5 in arptimer (ignored_arg=0x0) at /usr/src/sys/netinet/if_ether.c:152
> rt = (struct rtentry *) 0x0
> s = 4194304
> la = (struct llinfo_arp *) 0x620000
> ola = (struct llinfo_arp *) 0x0
> #17 0xc01a8259 in softclock () at /usr/src/sys/kern/kern_timeout.c:131
[snip]
> I wonder if this is related to the (security-related) ARP changes from a few weeks ago.

I don't really have enough to go on here without a full coredump.

The la pointer in the backtrace does not look like a valid KVA address.
The backtrace for the callout invocation looks fine. What isn't immediately
evident is why la->la_rt would be NULL, unless arptimer is racing something.
arp_rtrequest() doesn't add la to the llinfo_arp list until la->la_rt is
initialized, so that doesn't seem to be the case. The flip side of that
is that we could be in a race during an RTM_DELETE of an llinfo route;
again, this doesn't seem to be the case.

BMS

• application/pgp-signature attachment: stored

• Previous message: Joan Picanyol: "Re: reproduceable panic remounting vinum fs's in single mode"
• In reply to: Kris Kennaway: "Re: 4.9-RC panic on 24 hours"
• Next in thread: Kris Kennaway: "Re: 4.9-RC panic on 24 hours"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]