On Wed, Jun 22, 2005 at 03:03:53PM +0200, Andre Oppermann wrote: A> > Fixing this one is harder. We take la from unlocked rtentry obtained via A> > rt_check(), or from arplookup(). The latter drops lock on rtentry, too. A> > Then we do some work and use this la. It may have already been freed in A> > arp_rtrequest(), the RTM_DELETE case. A> > A> > I see two approaches here: A> > A> > 1) Protecting llinfo with route lock. In this case we need rt_check() A> > to return locked *rt (just reference won't help). We also need A> > arplookup() to return locked rt. And do not unlock it withing all A> > arpresolve() and a big part of in_arpinput() functions. A> A> I think for 5-stable this is the way to go.
What about fixing it step by step? The patch attached to my previous message fixes the panic report by Jeremie, I suppose. It is race between output path and input path, that can occur anytime in runtime. The race that is not fixed by my patch (discussed above) is between output path and RTM_DELETE message, is less critical - it can occur only when administrator runs arp -d. Can you please review my patch? I think we should commit it first, and then work on the second race. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"