From owner-freebsd-current@FreeBSD.ORG Thu Apr 15 05:16:28 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9290D16A4CF for ; Thu, 15 Apr 2004 05:16:28 -0700 (PDT) Received: from happy.kiev.ua (happy.kiev.ua [193.109.241.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 837FF43D45 for ; Thu, 15 Apr 2004 05:16:22 -0700 (PDT) (envelope-from gul@happy.kiev.ua) Received: from gul by happy.kiev.ua with local (Exim 4.31) id 1BE5n1-0004zL-Hs for current@freebsd.org; Thu, 15 Apr 2004 15:16:19 +0300 Date: Thu, 15 Apr 2004 15:16:19 +0300 From: Pavel Gulchouck To: current@freebsd.org Message-ID: <20040415121619.GB31043@happy.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Operating-System: Linux X-FTN-Address: 2:463/68 X-Flames-To: /dev/null X-GC: GCC d- s+: a33 C+++ UL++++ UB++++ P+ L++ E--- W++ N++ o-- K- w--- O++ X-GC: M? V- PS PE+ Y+ PGP+ t? 5? X? R? !tv b+ DI? D? G e h--- r+++ y+++ Subject: kernel panic in if_ppp.c X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: gul@gul.kiev.ua List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 12:16:28 -0000 Hi. I have systematic kernel panic when use pppd, debug shows it's in m_freem() called from ppp_inproc(). In the source code I've see that in the "input queue full" case there is "goto bad", when m is already freed by IF_HANDOFF() or netisr_queue(), and after this goto system crashes by second m_freem(m). System works correctly after fixing this bug. Checking condition "if (m)" after label "bad:" in the line 1594 of net/pf_ppp.c is senseless because of m is never changed its value in the ppp_inptoc() function. Here's the patch. Another way is to simple add "m = NULL" before "goto bad" in the line 1582. RELENG_5_2 has this bug too. --- net/if_ppp.c.orig Wed Jan 21 20:05:38 2004 +++ net/if_ppp.c Thu Apr 15 14:57:16 2004 @@ -1580,5 +1580,5 @@ if_printf(ifp, "input queue full\n"); ifp->if_iqdrops++; - goto bad; + goto bad2; } ifp->if_ipackets++; @@ -1592,6 +1592,6 @@ bad: - if (m) - m_freem(m); + m_freem(m); + bad2: sc->sc_if.if_ierrors++; sc->sc_stats.ppp_ierrors++; -- Lucky carrier, Pavel.