Folks,
We could use some help root-causing this bug. So far we've determined
why the crash happens, but we don't understand why it's possible for
this to have happened. Here's what we know:
A snoop process is started to snoop on /dev/ipnet/lo0. ipnet_open() is
called, a new ipnet_t is created (call it A), and rq->q_ptr is set to A.
Another snoop process is started to also snoop on /dev/ipnet/lo0.
ipnet_open() is called, but via qreopen() (for a reason I don't
understand). So rq->q_ptr points to A. ipnet_open() doesn't support
re-opening, so it allocates another ipnet_t (call it B), and rq->q_ptr
is unconditionally re-set to point to B.
You can see how this becomes problematic. If the second snoop process
quits before the first, B will be freed, and A's ipnet_rq->q_ptr will
point at garbage. This is evidently why we crash in ipnet_dispatch().
So the question is, why are we getting re-opened? This doesn't seem
right at all. Doing the following at the top of ipnet_open() prevents
the panic:
if (rq->q_ptr != NULL)
return (0);
The problem is, we then end up with only one ipnet_t, but two snoop
processes. It seems to me that only one snoop would then get packets
that both should be receiving. I'm definitely missing something on the
innards of STREAMS and/or devname and how this should all work together.
Any hints to make progress on this?
-Seb
