cvs commit: src/sys/net if_vlan.c

John Baldwin jhb at freebsd.org
Fri Aug 4 15:36:15 UTC 2006 

On Friday 04 August 2006 03:03, Yar Tikhiy wrote:
> On Thu, Aug 03, 2006 at 02:58:00PM -0400, John Baldwin wrote:
> > On Thursday 03 August 2006 14:08, Yar Tikhiy wrote:
> > > On Thu, Aug 03, 2006 at 10:11:11AM -0700, Sam Leffler wrote:
> > > > Yar Tikhiy wrote:
> > > > > yar         2006-08-03 09:59:09 UTC
> > > > > 
> > > > >   FreeBSD src repository
> > > > > 
> > > > >   Modified files:
> > > > >     sys/net              if_vlan.c 
> > > > >   Log:
> > > > >   Should vlan_input() ever be called with ifp pointing to a 
non-Ethernet
> > > > >   interface, do not just assign -1 to tag because it breaks the 
logic of
> > > > >   the code to follow.  The better way is to handle this case as an 
> > unsupported
> > > > >   protocol and return unless INVARIANTS is in effect and we can 
panic.
> > > > >   Panic is good there because the scenario can happen only because 
of a
> > > > >   coding error elsewhere.
> > > > >   
> > > > >   We also should show the interface name in the panic message for 
easier
> > > > >   debugging of the problem, should it ever emerge.
> > > > 
> > > > Introducing a panic in a place where you can trivially recover is bad
> > > > regardless of why you got there.  Many people run production systems
> > > > with INVARIANTS turned on.  Is it now possible to send a "packet of
> > > > death" by exploiting this code path?
> > > 
> > > No nastygram can ever achieve this; only FreeBSD commiters possess
> > > the ability to :-)
> > > 
> > > The panic can never be reached unless one manages to attach a vlan
> > > interface to a non-Ethernet physical interface in advance, which
> > > is totally prohibited by the code at the beginning of vlan_config();
> > > and vlan_config() is the only way to attach a vlan interface to a
> > > physical interface.
> > > 
> > > I.e., it will take a developer breaking the logic in /sys/net to
> > > make the code path expoloitable.
> > > 
> > > OTOH, you are right that we can at least attempt to recover from
> > > the situation.  Perhaps it's time to introduce a common macro or
> > > function that emits a message on the console and then just calls
> > > kdb_backtrace() instead of dumping core and halting the system?
> > > So users will be able to post the stack traces to the lists and
> > > thus help to spot the possible bugs w/o having to go through panics.
> > > I'm unsure if sticking raw kdb_backtrace() calls in such places
> > > is a good idea, so I'm suggesting a wrapper function or macro.
> > > It is to be used in "can absolutely never happen" cases that are
> > > not fatal, like the one under discussion.
> > 
> > kdb_backtrace() is the wrapper function around other internals. :)
> 
> Of course, we can always grep /sys for its usage later ;-)
> 
> Just noticed that many calls to kdb_backtrace() are under "#ifdef
> KDB" while subr_kdb.c is marked as standard in /sys/conf/files and
> the function itself is always available (yet can do nothing.)
> 
> Should calls to kdb_backtrace() be put under "#ifdef KDB"?  If they
> should, it can justify introducing the combined printf+trace function.

If kdb_backtrace() is always present, then the calls probably shouldn't be 
under the #ifdef.

-- 
John Baldwin

More information about the cvs-src mailing list